├── .github ├── dependabot.yml └── workflows │ └── maven.yaml ├── .gitignore ├── .mvn └── jvm.config ├── DevStyleHtml.prefs ├── DevStyleXml.prefs ├── LICENSE ├── README.md ├── examplescripts_configfiles ├── anonymousScoringConfig.yaml ├── createAnonScorecards.sh ├── createScorecards.bat ├── createScorecards.sh ├── runCrawler.bat ├── runCrawler.sh └── score_v1.3config.yaml ├── library ├── pom.xml └── src │ └── main │ ├── java │ └── org │ │ └── owasp │ │ └── benchmarkutils │ │ └── helpers │ │ ├── Categories.java │ │ ├── Category.java │ │ └── CodeblockUtils.java │ └── resources │ └── categories.xml ├── plugin ├── pom.xml └── src │ ├── main │ ├── java │ │ └── org │ │ │ └── owasp │ │ │ └── benchmarkutils │ │ │ ├── helpers │ │ │ ├── CategoryAdapter.java │ │ │ ├── JerseyTestCase.java │ │ │ ├── PropertiesManager.java │ │ │ ├── RequestVariable.java │ │ │ ├── ServletTestCase.java │ │ │ ├── SpringTestCase.java │ │ │ ├── TestCase.java │ │ │ ├── TestCaseRequestFileParseException.java │ │ │ ├── TestSuite.java │ │ │ └── Utils.java │ │ │ ├── score │ │ │ ├── BenchmarkScore.java │ │ │ ├── CategoryResults.java │ │ │ ├── Configuration.java │ │ │ ├── CweNumber.java │ │ │ ├── ResultFile.java │ │ │ ├── TP_FN_TN_FP_Counts.java │ │ │ ├── TestCaseResult.java │ │ │ ├── TestSuiteResults.java │ │ │ ├── Tool.java │ │ │ ├── ToolResults.java │ │ │ ├── WriteTime.java │ │ │ ├── domain │ │ │ │ └── TestSuiteName.java │ │ │ ├── parsers │ │ │ │ ├── AcunetixReader.java │ │ │ │ ├── AppScanDynamicReader.java │ │ │ │ ├── AppScanSourceReader.java │ │ │ │ ├── ArachniReader.java │ │ │ │ ├── BearerReader.java │ │ │ │ ├── BlackDuckReader.java │ │ │ │ ├── BurpJsonReader.java │ │ │ │ ├── BurpReader.java │ │ │ │ ├── CASTAIPReader.java │ │ │ │ ├── CheckmarxESReader.java │ │ │ │ ├── CheckmarxIASTReader.java │ │ │ │ ├── CheckmarxReader.java │ │ │ │ ├── ContrastAssessReader.java │ │ │ │ ├── CoverityReader.java │ │ │ │ ├── CrashtestReader.java │ │ │ │ ├── DatadogReader.java │ │ │ │ ├── FaastReader.java │ │ │ │ ├── FindbugsReader.java │ │ │ │ ├── FluidAttacksReader.java │ │ │ │ ├── FortifyReader.java │ │ │ │ ├── FusionLiteInsightReader.java │ │ │ │ ├── HCLAppScanIASTReader.java │ │ │ │ ├── HCLAppScanSourceReader.java │ │ │ │ ├── HCLAppScanStandardReader.java │ │ │ │ ├── HorusecReader.java │ │ │ │ ├── InsiderReader.java │ │ │ │ ├── JuliaReader.java │ │ │ │ ├── KiuwanReader.java │ │ │ │ ├── KlocworkCSVReader.java │ │ │ │ ├── MendReader.java │ │ │ │ ├── NJSScanReader.java │ │ │ │ ├── NetsparkerReader.java │ │ │ │ ├── NoisyCricketReader.java │ │ │ │ ├── PMDReader.java │ │ │ │ ├── ParasoftReader.java │ │ │ │ ├── QualysWASReader.java │ │ │ │ ├── Rapid7Reader.java │ │ │ │ ├── Reader.java │ │ │ │ ├── ReshiftReader.java │ │ │ │ ├── ScnrReader.java │ │ │ │ ├── SeekerReader.java │ │ │ │ ├── SemgrepReader.java │ │ │ │ ├── ShiftLeftReader.java │ │ │ │ ├── ShiftLeftScanReader.java │ │ │ │ ├── SnappyTickReader.java │ │ │ │ ├── SonarQubeJsonReader.java │ │ │ │ ├── SonarQubeReader.java │ │ │ │ ├── SourceMeterReader.java │ │ │ │ ├── ThunderScanReader.java │ │ │ │ ├── VeracodeReader.java │ │ │ │ ├── VisualCodeGrepperReader.java │ │ │ │ ├── W3AFReader.java │ │ │ │ ├── WapitiJsonReader.java │ │ │ │ ├── WapitiReader.java │ │ │ │ ├── WebInspectReader.java │ │ │ │ ├── ZapJsonReader.java │ │ │ │ ├── ZapReader.java │ │ │ │ ├── csv │ │ │ │ │ ├── SemgrepCSVReader.java │ │ │ │ │ └── WhiteHatDynamicReader.java │ │ │ │ └── sarif │ │ │ │ │ ├── CodeQLReader.java │ │ │ │ │ ├── ContrastScanReader.java │ │ │ │ │ ├── DatadogSastReader.java │ │ │ │ │ ├── FortifySarifReader.java │ │ │ │ │ ├── PTAIReader.java │ │ │ │ │ ├── PrecautionReader.java │ │ │ │ │ ├── SarifReader.java │ │ │ │ │ ├── SemgrepSarifReader.java │ │ │ │ │ └── SnykReader.java │ │ │ ├── report │ │ │ │ ├── Formats.java │ │ │ │ ├── ScatterHome.java │ │ │ │ ├── ScatterInterpretation.java │ │ │ │ ├── ScatterPlot.java │ │ │ │ ├── ScatterTools.java │ │ │ │ ├── ScatterVulns.java │ │ │ │ ├── ToolBarChart.java │ │ │ │ ├── ToolReport.java │ │ │ │ └── html │ │ │ │ │ ├── CommercialAveragesTable.java │ │ │ │ │ ├── HtmlStringBuilder.java │ │ │ │ │ ├── MenuUpdater.java │ │ │ │ │ ├── OverallStatsTable.java │ │ │ │ │ ├── ToolBarChartProvider.java │ │ │ │ │ ├── ToolReportProvider.java │ │ │ │ │ ├── ToolScorecard.java │ │ │ │ │ └── VulnerabilityStatsTable.java │ │ │ └── service │ │ │ │ ├── ExpectedResultsProvider.java │ │ │ │ └── ResultsFileCreator.java │ │ │ └── tools │ │ │ ├── AbstractTestCaseRequest.java │ │ │ ├── BenchmarkCrawler.java │ │ │ ├── BenchmarkCrawlerVerification.java │ │ │ ├── CalculateToolCodeBlocksSupport.java │ │ │ ├── CodeBlockSupportResults.java │ │ │ ├── JerseyTestCaseRequest.java │ │ │ ├── Logger.java │ │ │ ├── LoggerConfigurationException.java │ │ │ ├── NoisyCricket.java │ │ │ ├── RegressionTesting.java │ │ │ ├── ResponseInfo.java │ │ │ ├── ServletTestCaseRequest.java │ │ │ ├── SimpleFileLogger.java │ │ │ ├── SpringTestCaseRequest.java │ │ │ └── TestCaseVerificationResults.java │ └── resources │ │ ├── benchmark.properties │ │ ├── defaultscoringconfig.yaml │ │ └── scorecard │ │ ├── Scorecard_Guide.html │ │ ├── Scorecard_Home.html │ │ ├── commercialAveTemplate.html │ │ ├── content │ │ ├── css │ │ │ ├── bootstrap-theme.css │ │ │ ├── bootstrap-theme.css.map │ │ │ ├── bootstrap-theme.min.css │ │ │ ├── bootstrap.css │ │ │ ├── bootstrap.css.map │ │ │ └── bootstrap.min.css │ │ ├── fonts │ │ │ ├── glyphicons-halflings-regular.eot │ │ │ ├── glyphicons-halflings-regular.svg │ │ │ ├── glyphicons-halflings-regular.ttf │ │ │ ├── glyphicons-halflings-regular.woff │ │ │ └── glyphicons-halflings-regular.woff2 │ │ └── js │ │ │ ├── bootstrap.js │ │ │ ├── bootstrap.min.js │ │ │ └── npm.js │ │ ├── template.html │ │ └── vulntemplate.html │ └── test │ ├── java │ └── org │ │ └── owasp │ │ └── benchmarkutils │ │ └── score │ │ ├── BenchmarkScoreTest.java │ │ ├── ConfigurationTest.java │ │ ├── TestHelper.java │ │ ├── builder │ │ ├── ConfigurationBuilder.java │ │ ├── TestCaseResultBuilder.java │ │ ├── TestSuiteResultsBuilder.java │ │ ├── ToolBuilder.java │ │ └── ToolResultsBuilder.java │ │ ├── domain │ │ └── TestSuiteNameTest.java │ │ ├── parsers │ │ ├── AcunetixReaderTest.java │ │ ├── ArachniReaderTest.java │ │ ├── BearerReaderTest.java │ │ ├── BlackDuckReaderTest.java │ │ ├── BurpReaderTest.java │ │ ├── CASTAIPReaderTest.java │ │ ├── CheckmarxIASTReaderTest.java │ │ ├── CheckmarxReaderTest.java │ │ ├── CoverityReaderTest.java │ │ ├── DatadogReaderTest.java │ │ ├── FindbugsReaderTest.java │ │ ├── FluidAttacksReaderTest.java │ │ ├── FortifyReaderTest.java │ │ ├── HCLAppScanIASTReaderTest.java │ │ ├── HCLAppScanSourceReaderTest.java │ │ ├── HCLAppScanStandardReaderTest.java │ │ ├── HorusecReaderTest.java │ │ ├── InsiderReaderTest.java │ │ ├── JuliaReaderTest.java │ │ ├── KiuwanReaderTest.java │ │ ├── KlocworkCSVReaderTest.java │ │ ├── MendReaderTest.java │ │ ├── NetsparkerReaderTest.java │ │ ├── ParasoftReaderTest.java │ │ ├── Rapid7ReaderTest.java │ │ ├── ReaderTest.java │ │ ├── ReaderTestBase.java │ │ ├── ScnrReaderTest.java │ │ ├── SeekerReaderTest.java │ │ ├── SemgrepReaderTest.java │ │ ├── ShiftLeftScanReaderTest.java │ │ ├── SonarQubeJsonReaderTest.java │ │ ├── SonarQubeReaderTest.java │ │ ├── ThunderScanReaderTest.java │ │ ├── VeracodeReaderTest.java │ │ ├── VisualCodeGrepperReaderTest.java │ │ ├── W3AFReaderTest.java │ │ ├── WapitiJsonReaderTest.java │ │ ├── WapitiReaderTest.java │ │ ├── ZapJsonReaderTest.java │ │ ├── ZapReaderTest.java │ │ ├── csv │ │ │ └── WhiteHatDynamicReaderTest.java │ │ └── sarif │ │ │ ├── CodeQLReaderTest.java │ │ │ ├── ContrastScanReaderTest.java │ │ │ ├── DatadogSastReaderTest.java │ │ │ ├── PTAIReaderTest.java │ │ │ ├── PrecautionReaderTest.java │ │ │ ├── SarifReaderTest.java │ │ │ ├── SemgrepSarifReaderTest.java │ │ │ └── SnykReaderTest.java │ │ ├── report │ │ ├── FormatsTest.java │ │ └── html │ │ │ ├── CommercialAveragesTableTest.java │ │ │ ├── HtmlStringBuilderTest.java │ │ │ ├── MenuUpdaterTest.java │ │ │ ├── OverallStatsTableTest.java │ │ │ ├── ToolScorecardTest.java │ │ │ └── VulnerabilityStatsTableTest.java │ │ └── service │ │ ├── ExpectedResultsProviderTest.java │ │ └── ResultsFileCreatorTest.java │ └── resources │ ├── expectedresults-1.2-extended.csv │ ├── expectedresults-1.2-simple.csv │ ├── report-html-config.yml │ └── testfiles │ ├── Benchmark-BlackDuck.json │ ├── Benchmark_1.2-Datadog.log │ ├── Benchmark_Acunetix-v1.4.1.xml │ ├── Benchmark_Acunetix-v15.3.xml │ ├── Benchmark_AppSpider-v7.2.119-1234.xml │ ├── Benchmark_Arachni-v2.0dev.xml │ ├── Benchmark_Bearer-v1.30.0.jsonv2 │ ├── Benchmark_BurpPro-v2020.2.1.xml │ ├── Benchmark_CAST_AIP-v8.2.3.xml │ ├── Benchmark_Checkmarx-v8.2.xml │ ├── Benchmark_CodeQL-v2.13.alternative.sarif │ ├── Benchmark_CodeQL-v2.13.sarif │ ├── Benchmark_Contrast_3.9.0.sarif.json │ ├── Benchmark_Coverity-v10.0.json │ ├── Benchmark_Coverity-v3.0.json │ ├── Benchmark_CxIAST.csv │ ├── Benchmark_DatadogSast.sarif │ ├── Benchmark_Fluid-Attacks-v20210416.csv │ ├── Benchmark_Fortify20.20_2020Q1-1234.fpr │ ├── Benchmark_HCL-IAST.hcl │ ├── Benchmark_HCL-IAST_DateTime.hcl │ ├── Benchmark_HCLAppScanSource-2.4.xml │ ├── Benchmark_HCLAppScanStandardReader-v10.0.6.xml │ ├── Benchmark_JuliaSoft-v2.3.2.1.xml │ ├── Benchmark_Kiuwan-20191012.threadfix │ ├── Benchmark_Klocwork.csv │ ├── Benchmark_Mend.xml │ ├── Benchmark_Netsparker.xml │ ├── Benchmark_PTAI-v4.7.2.sarif │ ├── Benchmark_ParasoftJTest-v10.2.3.xml │ ├── Benchmark_Precaution.sarif │ ├── Benchmark_SCNR.json │ ├── Benchmark_SCNR.xml │ ├── Benchmark_Seeker.csv │ ├── Benchmark_SnykCodeCli.sarif │ ├── Benchmark_ThunderScan.xml │ ├── Benchmark_Veracode.xml │ ├── Benchmark_Wapiti-v3.0.3.xml │ ├── Benchmark_Wapiti-v3.0.5.json │ ├── Benchmark_WhiteHat.csv │ ├── Benchmark_ZAP-v2.10.0-oldfmt.json │ ├── Benchmark_ZAP-v2.11.1.json │ ├── Benchmark_ZAP_WEEKLY.xml │ ├── Benchmark_findsecbugs-v1.11.0-105.xml │ ├── Benchmark_horusec-v2.5.0.json │ ├── Benchmark_insider-v3.0.0.json │ ├── Benchmark_semgrep-oss-v1.67.0.sarif │ ├── Benchmark_semgrep-pro-v1.68.1.sarif │ ├── Benchmark_semgrep-v0.121.0.json │ ├── Benchmark_semgrep-v0.65.0.json │ ├── Benchmark_shiftleftscan-v2.0.3.json │ ├── Benchmark_sonar-Java-Plugin-v3.14-1234.xml │ ├── Benchmark_sonarqube-v25.1.0.102122.json │ ├── Benchmark_sonarqube-v9.1.0.47736.json │ ├── Benchmark_spotbugs-v4.1.4-104.xml │ ├── Benchmark_visualcodegrepper-v2.2.0.xml │ ├── Benchmark_w3af-v1.7.6.xml │ └── README.md ├── pom.xml └── scripts └── verifyBenchmarkPluginAvailable.sh /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | # Please see the documentation for all configuration options: 2 | # https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file 3 | 4 | version: 2 5 | updates: 6 | - package-ecosystem: "github-actions" 7 | directory: "/" 8 | schedule: 9 | interval: "daily" 10 | - package-ecosystem: "maven" 11 | directory: "/" 12 | schedule: 13 | interval: "daily" 14 | open-pull-requests-limit: 10 15 | labels: 16 | - dependencies 17 | -------------------------------------------------------------------------------- /.github/workflows/maven.yaml: -------------------------------------------------------------------------------- 1 | name: Java CI with Maven 2 | 3 | on: [push, pull_request] 4 | 5 | jobs: 6 | build: 7 | 8 | runs-on: ubuntu-latest 9 | 10 | steps: 11 | - uses: actions/checkout@v4 12 | with: 13 | fetch-depth: 0 14 | - name: Set up JDK 11 15 | uses: actions/setup-java@v4 16 | with: 17 | java-version: '11' 18 | distribution: 'adopt' 19 | cache: maven 20 | - name: Build, test, and Install shared library 21 | run: mvn install 22 | 23 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.class 2 | .project 3 | .java-version 4 | .keystore 5 | .idea/ 6 | 7 | # Package Files # 8 | *.jar 9 | 10 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml 11 | *.classpath 12 | .settings/ 13 | *.DS_Store 14 | plugin/src/main/resources/benchmark.properties 15 | internalonly/ 16 | target/ 17 | 18 | -------------------------------------------------------------------------------- /.mvn/jvm.config: -------------------------------------------------------------------------------- 1 | --add-exports jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED 2 | --add-opens java.base/java.lang=ALL-UNNAMED 3 | 4 | --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED 5 | --add-exports=jdk.compiler/com.sun.tools.javac.code=ALL-UNNAMED 6 | --add-exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED 7 | --add-exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED 8 | --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED 9 | -------------------------------------------------------------------------------- /DevStyleHtml.prefs: -------------------------------------------------------------------------------- 1 | eclipse.preferences.version=1 2 | indentationChar=space 3 | indentationSize=4 4 | lineWidth=999 5 | -------------------------------------------------------------------------------- /DevStyleXml.prefs: -------------------------------------------------------------------------------- 1 | eclipse.preferences.version=1 2 | indentationChar=space 3 | indentationSize=4 4 | lineWidth=999 5 | formatCommentJoinLines=false -------------------------------------------------------------------------------- /examplescripts_configfiles/anonymousScoringConfig.yaml: -------------------------------------------------------------------------------- 1 | # This configuration simply enables anonymous scoring mode 2 | 3 | anonymousmode: true # If true, anonymize names of commercial tools 4 | 5 | -------------------------------------------------------------------------------- /examplescripts_configfiles/createAnonScorecards.sh: -------------------------------------------------------------------------------- 1 | source "scripts/verifyBenchmarkPluginAvailable.sh" 2 | mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard -DconfigFile=config/anonymousScoringConfig.yaml 3 | 4 | -------------------------------------------------------------------------------- /examplescripts_configfiles/createScorecards.bat: -------------------------------------------------------------------------------- 1 | # source "scripts/verifyBenchmarkPluginAvailable.sh" - Don't have .bat version of this (yet) 2 | #mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard -DconfigFile=config/score_v1.3config.yaml 3 | call mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard 4 | 5 | -------------------------------------------------------------------------------- /examplescripts_configfiles/createScorecards.sh: -------------------------------------------------------------------------------- 1 | source "scripts/verifyBenchmarkPluginAvailable.sh" 2 | #mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard -DconfigFile=config/score_v1.3config.yaml 3 | mvn -Djava.awt.headless=true org.owasp:benchmarkutils-maven-plugin:create-scorecard 4 | 5 | -------------------------------------------------------------------------------- /examplescripts_configfiles/runCrawler.bat: -------------------------------------------------------------------------------- 1 | # An EXAMPLE of how to run the crawler on a TARGET test suite using the Benchmark Maven Plugin 2 | CALL mvn org.owasp:benchmarkutils-maven-plugin:run-crawler -DcrawlerFile=data/TESTSUITENAME-crawler-http.xml 3 | 4 | -------------------------------------------------------------------------------- /examplescripts_configfiles/runCrawler.sh: -------------------------------------------------------------------------------- 1 | # An EXAMPLE of how to run the crawler on a TARGET test suite using the Benchmark Maven Plugin 2 | source "scripts/verifyBenchmarkPluginAvailable.sh" 3 | mvn org.owasp:benchmarkutils-maven-plugin:run-crawler -DcrawlerFile=data/TESTSUITENAME-crawler-http.xml 4 | 5 | -------------------------------------------------------------------------------- /examplescripts_configfiles/score_v1.3config.yaml: -------------------------------------------------------------------------------- 1 | # This configuration scores v1.3 of the test suite, instead of the default version 2 | 3 | expectedresults: expectedresults-1.3.csv 4 | -------------------------------------------------------------------------------- /library/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 4.0.0 3 | benchmark.utils 4 | jar 5 | 6 | OWASP Benchmark Utilities Library 7 | OWASP Benchmark is one or more test suites designed to evaluate the accuracy, coverage, and speed of automated software vulnerability detection tools. This library provides classes used by other Benchmark projects, such as the benchmarkutils-maven-plugin, and Benchmark for Java. 8 | 9 | 10 | org.owasp 11 | benchmarkutils-parent 12 | 1.3 13 | 14 | 15 | 16 | benchmarkutils 17 | 18 | 19 | 20 | ${basedir}/src/main/resources 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /library/src/main/java/org/owasp/benchmarkutils/helpers/Category.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https:/owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author David Anderson 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.helpers; 19 | 20 | /* 21 | * This class contains a single vulnerability category. And is Comparable to other Category instances 22 | * via its 'name' attribute (i.e., the long nname). 23 | */ 24 | public class Category implements Comparable { 25 | 26 | private final String id; // e.g., pathtraver 27 | private final String name; // e.g., Path Traversal 28 | private final int CWE; 29 | private final boolean isInjection; 30 | private final String shortName; // PATH 31 | 32 | /** 33 | * Create a vuln category. 34 | * 35 | * @param id The short name for the category, e.g., xss. 36 | * @param name The long name of the category, e.g., Cross Site Scripting 37 | * @param cwe The associated CWE number. 38 | * @param isInjection Whether this vuln category is a type of injection attack. 39 | */ 40 | public Category(String id, String name, int cwe, boolean isInjection, String shortname) { 41 | this.id = id; 42 | this.name = name; 43 | this.CWE = cwe; 44 | this.isInjection = isInjection; 45 | this.shortName = shortname; 46 | } 47 | 48 | public String getId() { 49 | return this.id; 50 | } 51 | 52 | public String getName() { 53 | return this.name; 54 | } 55 | 56 | public int getCWE() { 57 | return this.CWE; 58 | } 59 | 60 | public boolean isInjection() { 61 | return this.isInjection; 62 | } 63 | 64 | public String getShortName() { 65 | return this.shortName; 66 | } 67 | 68 | public String toString() { 69 | return getId(); 70 | } 71 | 72 | @Override 73 | public int compareTo(Category cat) { 74 | if (this.id.equals(cat)) return 0; 75 | return this.name.compareTo(cat.name); 76 | } 77 | 78 | @Override 79 | public boolean equals(Object o) { 80 | if (o == this) return true; 81 | if (!(o instanceof Category)) return false; 82 | Category other = (Category) o; 83 | return (this.id == null && other.id == null) 84 | || (this.id != null && this.id.equals(other.id)); 85 | } 86 | } 87 | -------------------------------------------------------------------------------- /plugin/src/main/java/org/owasp/benchmarkutils/helpers/CategoryAdapter.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https:/owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author David Anderson 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.helpers; 19 | 20 | import javax.xml.bind.annotation.adapters.XmlAdapter; 21 | 22 | public class CategoryAdapter extends XmlAdapter { 23 | 24 | public String marshal(Category category) { 25 | return category.getId(); 26 | } 27 | 28 | public Category unmarshal(String value) { 29 | return Categories.getById(value); 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /plugin/src/main/java/org/owasp/benchmarkutils/helpers/JerseyTestCase.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https:/owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author David Anderson 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.helpers; 19 | 20 | import org.eclipse.persistence.oxm.annotations.XmlDiscriminatorValue; 21 | 22 | @XmlDiscriminatorValue("JERSEYWS") 23 | public class JerseyTestCase extends TestCase { 24 | public JerseyTestCase() {} 25 | } 26 | -------------------------------------------------------------------------------- /plugin/src/main/java/org/owasp/benchmarkutils/helpers/ServletTestCase.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https:/owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author David Anderson 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.helpers; 19 | 20 | import org.eclipse.persistence.oxm.annotations.XmlDiscriminatorValue; 21 | 22 | @XmlDiscriminatorValue("SERVLET") 23 | public class ServletTestCase extends TestCase { 24 | public ServletTestCase() {} 25 | } 26 | -------------------------------------------------------------------------------- /plugin/src/main/java/org/owasp/benchmarkutils/helpers/SpringTestCase.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https:/owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author David Anderson 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.helpers; 19 | 20 | import org.eclipse.persistence.oxm.annotations.XmlDiscriminatorValue; 21 | 22 | @XmlDiscriminatorValue("SPRINGWS") 23 | public class SpringTestCase extends TestCase { 24 | public SpringTestCase() {} 25 | } 26 | -------------------------------------------------------------------------------- /plugin/src/main/java/org/owasp/benchmarkutils/helpers/TestCaseRequestFileParseException.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https:/owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author David Anderson 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.helpers; 19 | 20 | public class TestCaseRequestFileParseException extends Exception { 21 | 22 | public TestCaseRequestFileParseException(String message) { 23 | super(message); 24 | } 25 | 26 | public TestCaseRequestFileParseException(String message, Exception e) { 27 | super(message, e); 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /plugin/src/main/java/org/owasp/benchmarkutils/helpers/TestSuite.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https:/owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author David Anderson 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.helpers; 19 | 20 | import java.util.List; 21 | import javax.xml.bind.annotation.XmlAttribute; 22 | import javax.xml.bind.annotation.XmlElement; 23 | import javax.xml.bind.annotation.XmlRootElement; 24 | import org.owasp.benchmarkutils.tools.AbstractTestCaseRequest; 25 | 26 | @XmlRootElement(name = "benchmarkSuite") 27 | public class TestSuite { 28 | private List testCases; 29 | 30 | private String name; // Name of the test suite, e.g., benchmark (Which is BenchmarkJava) 31 | 32 | private String version; 33 | 34 | @XmlElement(name = "benchmarkTest") 35 | public List getTestCases() { 36 | return testCases; 37 | } 38 | 39 | public void setTestCases(List testCases) { 40 | this.testCases = testCases; 41 | } 42 | 43 | @XmlAttribute(name = "testsuite", required = true) 44 | public String getName() { 45 | return name; 46 | } 47 | 48 | public void setName(String name) { 49 | this.name = name; 50 | } 51 | 52 | @XmlAttribute(name = "version", required = true) 53 | public String getVersion() { 54 | return version; 55 | } 56 | 57 | public void setVersion(String version) { 58 | this.version = version; 59 | } 60 | 61 | /** 62 | * Dump out some basic details from the Crawler file to the command line to verify it was read 63 | * in properly. Used for debugging. 64 | */ 65 | public void dumpBasicDetails() { 66 | System.out.println("Test suite name and version: " + name + " v" + version); 67 | System.out.println("Total test cases: " + this.getTestCases().size()); 68 | } 69 | 70 | @Override 71 | public String toString() { 72 | return "TestSuite [testCases=" + testCases + "]"; 73 | } 74 | } 75 | -------------------------------------------------------------------------------- /plugin/src/main/java/org/owasp/benchmarkutils/score/CategoryResults.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Dave Wichers 16 | * @created 2015 17 | */ 18 | package org.owasp.benchmarkutils.score; 19 | 20 | public class CategoryResults { 21 | public final String category; 22 | public final double precision; // TP / TP + FP 23 | public final double truePositiveRate; // AKA Recall 24 | public final double falsePositiveRate; 25 | public final double fscore; // 2 * precision * TPR / ( precision + TPR ) 26 | public final int totalTestCases; 27 | public final double score; 28 | 29 | /** 30 | * The overall results for a single vulnerability category for a single tool. F-Score and score 31 | * are automatically calculated for these results when this is created. 32 | * 33 | * @param category - The vulnerability category. 34 | * @param precision - The precision 35 | * @param tpr - The true positive rate 36 | * @param fpr - The false positive rate 37 | * @param totalTestCases - The total number of TP, FP, TN, FN in this category 38 | */ 39 | public CategoryResults( 40 | String category, double precision, double tpr, double fpr, int totalTestCases) { 41 | if (Double.isNaN(precision)) { 42 | throw new IllegalArgumentException( 43 | "ERROR: precision for category: " + category + " is NaN"); 44 | } 45 | if (Double.isNaN(tpr)) { 46 | throw new IllegalArgumentException( 47 | "ERROR: true positive rate for category: " + category + " is NaN"); 48 | } 49 | if (Double.isNaN(fpr)) { 50 | throw new IllegalArgumentException( 51 | "ERROR: false positive rate for category: " + category + " is NaN"); 52 | } 53 | 54 | this.category = category; 55 | this.precision = precision; 56 | this.truePositiveRate = tpr; 57 | this.falsePositiveRate = fpr; 58 | double fscore = 2 * precision * tpr / (precision + tpr); 59 | if (Double.isNaN(fscore)) { 60 | this.fscore = 0.0; 61 | } else this.fscore = fscore; 62 | this.totalTestCases = totalTestCases; 63 | this.score = tpr - fpr; 64 | } 65 | } 66 | -------------------------------------------------------------------------------- /plugin/src/main/java/org/owasp/benchmarkutils/score/TP_FN_TN_FP_Counts.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Dave Wichers 16 | * @created 2015 17 | */ 18 | package org.owasp.benchmarkutils.score; 19 | 20 | /** 21 | * This class simply tracks the counts for the true positives, false negatives, true negatives, and 22 | * false positives for a particular tool against the test suite. 23 | */ 24 | public class TP_FN_TN_FP_Counts { 25 | 26 | public int tp = 0; 27 | public int fn = 0; 28 | public int tn = 0; 29 | public int fp = 0; 30 | 31 | public TP_FN_TN_FP_Counts() {} 32 | 33 | public TP_FN_TN_FP_Counts(int tp, int fn, int tn, int fp) { 34 | this.tp = tp; 35 | this.fn = fn; 36 | this.tn = tn; 37 | this.fp = fp; 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /plugin/src/main/java/org/owasp/benchmarkutils/score/domain/TestSuiteName.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2024 17 | */ 18 | package org.owasp.benchmarkutils.score.domain; 19 | 20 | public class TestSuiteName { 21 | 22 | private final String name; 23 | 24 | public TestSuiteName(String name) { 25 | this.name = name; 26 | } 27 | 28 | public String simpleName() { 29 | return name; 30 | } 31 | 32 | /** 33 | * If required, provide a more descriptive test suite name than the base, single word test suite 34 | * name. 35 | */ 36 | public String fullName() { 37 | if ("Benchmark".equals(name)) { 38 | return "OWASP Benchmark"; 39 | } 40 | 41 | return simpleName(); 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/NoisyCricketReader.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details 14 | * 15 | * @author Dave Wichers 16 | * @created 2015 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import java.util.List; 21 | import org.owasp.benchmarkutils.score.ResultFile; 22 | import org.owasp.benchmarkutils.score.TestCaseResult; 23 | import org.owasp.benchmarkutils.score.TestSuiteResults; 24 | import org.w3c.dom.Node; 25 | 26 | public class NoisyCricketReader extends Reader { 27 | 28 | @Override 29 | public boolean canRead(ResultFile resultFile) { 30 | return resultFile.filename().endsWith(".xml") 31 | && resultFile.xmlRootNodeName().equals("noisycricket"); 32 | } 33 | 34 | @Override 35 | public TestSuiteResults parse(ResultFile resultFile) throws Exception { 36 | TestSuiteResults tr = 37 | new TestSuiteResults("NoisyCricket", false, TestSuiteResults.ToolType.SAST); 38 | tr.setTime("1 minute"); 39 | Node meta = getNamedChild("meta", resultFile.xmlRootNode()); 40 | tr.setToolVersion(getAttributeValue("version", meta)); 41 | 42 | Node vulns = getNamedChild("vulnerabilities", resultFile.xmlRootNode()); 43 | List items = getNamedChildren("vulnerability", vulns); 44 | for (Node item : items) { 45 | try { 46 | parseNoisyCricketIssue(item, tr); 47 | } catch (Exception e) { 48 | e.printStackTrace(); 49 | } 50 | } 51 | 52 | return tr; 53 | } 54 | 55 | private void parseNoisyCricketIssue(Node item, TestSuiteResults tr) { 56 | String testcase = getAttributeValue("file", item); 57 | 58 | String cwelist = getAttributeValue("cwelist", item); 59 | System.out.println(cwelist); 60 | cwelist = cwelist.substring(1, cwelist.length() - 1); 61 | if (!cwelist.isEmpty()) { 62 | String[] cwes = cwelist.split(", "); 63 | for (String cwe : cwes) { 64 | TestCaseResult tcr = new TestCaseResult(); 65 | tcr.setNumber(testNumber(testcase)); 66 | tcr.setCWE(Integer.parseInt(cwe)); 67 | tr.put(tcr); 68 | } 69 | } 70 | } 71 | } 72 | -------------------------------------------------------------------------------- /plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/DatadogSastReader.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Julien Delange 16 | * @created 2024 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers.sarif; 19 | 20 | import org.owasp.benchmarkutils.score.ResultFile; 21 | 22 | /** 23 | * This reader is made for the datadog-static-analyzer available on 24 | * .... 25 | * It uses the SARIF file produces by the tool. 26 | */ 27 | public class DatadogSastReader extends SarifReader { 28 | 29 | public DatadogSastReader() { 30 | super("datadog-static-analyzer", false, CweSourceType.TAG); 31 | } 32 | 33 | @Override 34 | public String toolName(ResultFile resultFile) { 35 | return "DatadogSast"; 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReader.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Alexey Zhukov 16 | * @created 2024 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers.sarif; 19 | 20 | import org.owasp.benchmarkutils.score.CweNumber; 21 | import org.owasp.benchmarkutils.score.ResultFile; 22 | import org.owasp.benchmarkutils.score.TestSuiteResults; 23 | 24 | public class PTAIReader extends SarifReader { 25 | 26 | static final int PTAI_CWE_EXTERNAL_FILEPATH_CONTROL = 73; 27 | static final int PTAI_CWE_BLIND_XPATH_INJECTION = 91; 28 | 29 | static final String EXPECTED_TOOL_NAME = "Positive Technologies Application Inspector"; 30 | static final String SHORTENED_TOOL_NAME = "PT Application Inspector"; 31 | 32 | public PTAIReader() { 33 | super(EXPECTED_TOOL_NAME, true, CweSourceType.FIELD); 34 | } 35 | 36 | @Override 37 | public String toolName(ResultFile resultFile) { 38 | return SHORTENED_TOOL_NAME; 39 | } 40 | 41 | /** 42 | * SARIF report tool version field is too long as it contains build number. Shorten it to X.Y.Z 43 | */ 44 | @Override 45 | public void setVersion(ResultFile resultFile, TestSuiteResults testSuiteResults) { 46 | super.setVersion(resultFile, testSuiteResults); 47 | String version = testSuiteResults.getToolVersion(); 48 | String[] versionItems = version.split("\\."); 49 | if (versionItems.length < 4) return; 50 | testSuiteResults.setToolVersion( 51 | String.format("%s.%s.%s", versionItems[0], versionItems[1], versionItems[2])); 52 | } 53 | 54 | @Override 55 | public int mapCwe(int cwe) { 56 | switch (cwe) { 57 | case PTAI_CWE_EXTERNAL_FILEPATH_CONTROL: 58 | return CweNumber.PATH_TRAVERSAL; 59 | case PTAI_CWE_BLIND_XPATH_INJECTION: 60 | return CweNumber.XPATH_INJECTION; 61 | } 62 | return cwe; 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/PrecautionReader.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Eric Brown 16 | * @created 2024 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers.sarif; 19 | 20 | public class PrecautionReader extends SarifReader { 21 | 22 | public PrecautionReader() { 23 | super("Precaution", false, CweSourceType.TAG); 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SemgrepSarifReader.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2024 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers.sarif; 19 | 20 | import org.owasp.benchmarkutils.score.parsers.SemgrepReader; 21 | 22 | public class SemgrepSarifReader extends SarifReader { 23 | 24 | public SemgrepSarifReader() { 25 | super("Semgrep", false, CweSourceType.TAG); 26 | } 27 | 28 | @Override 29 | public int mapCwe(int cwe) { 30 | return SemgrepReader.translate(cwe); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SnykReader.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details 14 | * 15 | * @author Raj Barath 16 | * @created 2023 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers.sarif; 19 | 20 | import org.owasp.benchmarkutils.score.CweNumber; 21 | 22 | public class SnykReader extends SarifReader { 23 | 24 | public SnykReader() { 25 | super("SnykCode", true, CweSourceType.FIELD); 26 | } 27 | 28 | @Override 29 | public int mapCwe(int cwe) { 30 | if (cwe == CweNumber.PASSWORD_HASH_WITH_INSUFFICIENT_COMPUTATIONAL_EFFORT) { 31 | return CweNumber.WEAK_HASH_ALGO; 32 | } 33 | 34 | if (cwe == CweNumber.RELATIVE_PATH_TRAVERSAL) { 35 | return CweNumber.PATH_TRAVERSAL; 36 | } 37 | 38 | return super.mapCwe(cwe); 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /plugin/src/main/java/org/owasp/benchmarkutils/score/report/Formats.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2024 17 | */ 18 | package org.owasp.benchmarkutils.score.report; 19 | 20 | import java.text.DecimalFormat; 21 | 22 | public class Formats { 23 | 24 | public static final DecimalFormat twoDecimalPlacesPercentage = new DecimalFormat("#0.00%"); 25 | 26 | public static final DecimalFormat singleDecimalPlaceNumber = new DecimalFormat("0.0"); 27 | public static final DecimalFormat fourDecimalPlacesNumber = new DecimalFormat("#0.0000"); 28 | } 29 | -------------------------------------------------------------------------------- /plugin/src/main/java/org/owasp/benchmarkutils/score/report/html/ToolBarChartProvider.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2024 17 | */ 18 | package org.owasp.benchmarkutils.score.report.html; 19 | 20 | import org.owasp.benchmarkutils.score.Tool; 21 | 22 | public interface ToolBarChartProvider { 23 | 24 | void generateComparisonCharts(Tool tool); 25 | } 26 | -------------------------------------------------------------------------------- /plugin/src/main/java/org/owasp/benchmarkutils/score/report/html/ToolReportProvider.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2024 17 | */ 18 | package org.owasp.benchmarkutils.score.report.html; 19 | 20 | import java.io.File; 21 | import java.io.IOException; 22 | import org.owasp.benchmarkutils.score.Tool; 23 | 24 | public interface ToolReportProvider { 25 | 26 | String generateHtml(Tool currentTool, String title, File scorecardImageFile) throws IOException; 27 | } 28 | -------------------------------------------------------------------------------- /plugin/src/main/java/org/owasp/benchmarkutils/tools/Logger.java: -------------------------------------------------------------------------------- 1 | package org.owasp.benchmarkutils.tools; 2 | 3 | public interface Logger { 4 | 5 | void print(String message); 6 | 7 | void println(String message); 8 | 9 | void println(); 10 | 11 | void printf(String format, Object... args); 12 | } 13 | -------------------------------------------------------------------------------- /plugin/src/main/java/org/owasp/benchmarkutils/tools/LoggerConfigurationException.java: -------------------------------------------------------------------------------- 1 | package org.owasp.benchmarkutils.tools; 2 | 3 | public class LoggerConfigurationException extends Exception { 4 | 5 | public LoggerConfigurationException(String message) { 6 | super(message); 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /plugin/src/main/java/org/owasp/benchmarkutils/tools/ResponseInfo.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Dave Wichers 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.tools; 19 | 20 | import org.apache.hc.client5.http.classic.methods.HttpUriRequest; 21 | 22 | class ResponseInfo { 23 | private String responseString; 24 | private int seconds; 25 | private int statusCode; 26 | private HttpUriRequest requestBase; 27 | 28 | public String getResponseString() { 29 | return responseString; 30 | } 31 | 32 | public void setResponseString(String responseString) { 33 | this.responseString = responseString; 34 | } 35 | 36 | public int getTimeInSeconds() { 37 | return seconds; 38 | } 39 | 40 | public void setTimeInSeconds(int seconds) { 41 | this.seconds = seconds; 42 | } 43 | 44 | public int getStatusCode() { 45 | return statusCode; 46 | } 47 | 48 | public void setStatusCode(int statusCode) { 49 | this.statusCode = statusCode; 50 | } 51 | 52 | public HttpUriRequest getRequestBase() { 53 | return requestBase; 54 | } 55 | 56 | public void setRequestBase(HttpUriRequest request) { 57 | this.requestBase = request; 58 | } 59 | } 60 | -------------------------------------------------------------------------------- /plugin/src/main/java/org/owasp/benchmarkutils/tools/SimpleFileLogger.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author David Anderson 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.tools; 19 | 20 | import java.io.Closeable; 21 | import java.io.File; 22 | import java.io.FileNotFoundException; 23 | import java.io.FileOutputStream; 24 | import java.io.PrintStream; 25 | import java.util.Properties; 26 | import java.util.concurrent.ConcurrentHashMap; 27 | import java.util.concurrent.ConcurrentMap; 28 | 29 | public class SimpleFileLogger implements Closeable, Logger { 30 | private static final ConcurrentMap loggerMap = 31 | new ConcurrentHashMap<>(); 32 | 33 | private static final Properties properties = new Properties(); 34 | 35 | final File file; 36 | private PrintStream out; 37 | 38 | private SimpleFileLogger(File file) throws FileNotFoundException { 39 | this.file = file; 40 | out = new PrintStream(new FileOutputStream(file)); 41 | } 42 | 43 | public static SimpleFileLogger getLogger(String name) 44 | throws FileNotFoundException, LoggerConfigurationException { 45 | SimpleFileLogger simpleLogger = loggerMap.get(name); 46 | if (simpleLogger != null) { 47 | return simpleLogger; 48 | } else { 49 | String filename = getFile(name); 50 | if (filename == null) { 51 | throw new LoggerConfigurationException("No file bound to logger ID: " + name); 52 | } 53 | File file = new File(getFile(name)); 54 | SimpleFileLogger newInstance = new SimpleFileLogger(file); 55 | SimpleFileLogger oldInstance = loggerMap.putIfAbsent(name, newInstance); 56 | return oldInstance == null ? newInstance : oldInstance; 57 | } 58 | } 59 | 60 | public static void setFile(String key, File file) { 61 | properties.setProperty(key, file.getAbsolutePath()); 62 | } 63 | 64 | public static String getFile(String key) { 65 | return properties.getProperty(key); 66 | } 67 | 68 | public void print(String message) { 69 | out.print(message); 70 | } 71 | 72 | public void println(String message) { 73 | out.println(message); 74 | } 75 | 76 | public void println() { 77 | out.println(); 78 | } 79 | 80 | public void printf(String format, Object... args) { 81 | out.printf(format, args); 82 | } 83 | 84 | public void close() { 85 | out.close(); 86 | } 87 | } 88 | -------------------------------------------------------------------------------- /plugin/src/main/resources/benchmark.properties: -------------------------------------------------------------------------------- 1 | #Fri Aug 06 12:42:39 EDT 2021 2 | hashAlg2=SHA-256 3 | hashAlg1=MD5 4 | cryptoAlg2=AES/CCM/NoPadding 5 | cryptoAlg1=DES/ECB/PKCS5Padding 6 | testsuite-version=1.3 7 | -------------------------------------------------------------------------------- /plugin/src/main/resources/defaultscoringconfig.yaml: -------------------------------------------------------------------------------- 1 | # The configuration for anything customizable in the scorecard generated for a particular test suite 2 | # Currently, only 1 set of scoring templates is supported, but what goes into those templates can be configured to a certain degree 3 | 4 | # Original command line parameters to scorecard generation 5 | 6 | # default expected results file 7 | expectedresults: expectedresults-1.2.csv 8 | 9 | # Default results directory. This can also be a specific results file, and only that file will be scored 10 | resultsfileordir: results 11 | 12 | # Which tool to emphasize during scorecard generation. Default is none. 13 | focustool: none 14 | 15 | anonymousmode: false # If true, anonymize names of commercial tools 16 | averageonlymode: false # If true, show averages by tool category (SAST, DAST, IAST), but don't show individual tool results 17 | mixedmode: false # If true, create scorecard that uses results from two versions of the same test suite 18 | 19 | ## Configuration parameters for scorecard generation: 20 | 21 | # The general name of a CWE or set of CWEs. 22 | cwecategoryname: Vulnerabilities # default CWE type menu name for Benchmark. Juliet might call this ''Weakness Classes' 23 | tprlabel: TPR # default value for Benchmark. Also referred to as Recall 24 | includeprojectlink: true # By default, add the link to the OWASP Benchmark project page to scorecards 25 | includeprecision: false # OWASP scorecards don't include precision calculation in tables. But it can be added. 26 | 27 | # End of default configuration 28 | -------------------------------------------------------------------------------- /plugin/src/main/resources/scorecard/content/fonts/glyphicons-halflings-regular.eot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP-Benchmark/BenchmarkUtils/b25dc315b8811166cd2bf19be7571f3ccec00b61/plugin/src/main/resources/scorecard/content/fonts/glyphicons-halflings-regular.eot -------------------------------------------------------------------------------- /plugin/src/main/resources/scorecard/content/fonts/glyphicons-halflings-regular.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP-Benchmark/BenchmarkUtils/b25dc315b8811166cd2bf19be7571f3ccec00b61/plugin/src/main/resources/scorecard/content/fonts/glyphicons-halflings-regular.ttf -------------------------------------------------------------------------------- /plugin/src/main/resources/scorecard/content/fonts/glyphicons-halflings-regular.woff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP-Benchmark/BenchmarkUtils/b25dc315b8811166cd2bf19be7571f3ccec00b61/plugin/src/main/resources/scorecard/content/fonts/glyphicons-halflings-regular.woff -------------------------------------------------------------------------------- /plugin/src/main/resources/scorecard/content/fonts/glyphicons-halflings-regular.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP-Benchmark/BenchmarkUtils/b25dc315b8811166cd2bf19be7571f3ccec00b61/plugin/src/main/resources/scorecard/content/fonts/glyphicons-halflings-regular.woff2 -------------------------------------------------------------------------------- /plugin/src/main/resources/scorecard/content/js/npm.js: -------------------------------------------------------------------------------- 1 | // This file is autogenerated via the `commonjs` Grunt task. You can require() this file in a CommonJS environment. 2 | require('../../js/transition.js') 3 | require('../../js/alert.js') 4 | require('../../js/button.js') 5 | require('../../js/carousel.js') 6 | require('../../js/collapse.js') 7 | require('../../js/dropdown.js') 8 | require('../../js/modal.js') 9 | require('../../js/tooltip.js') 10 | require('../../js/popover.js') 11 | require('../../js/scrollspy.js') 12 | require('../../js/tab.js') 13 | require('../../js/affix.js') -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/TestHelper.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2022 17 | */ 18 | package org.owasp.benchmarkutils.score; 19 | 20 | import java.io.IOException; 21 | import java.io.InputStream; 22 | import java.nio.charset.Charset; 23 | import java.util.Objects; 24 | import org.apache.commons.io.IOUtils; 25 | 26 | public class TestHelper { 27 | 28 | public static ResultFile resultFileOf(String filename) { 29 | try { 30 | return new ResultFile(filename, contentOf(filename)); 31 | } catch (IOException e) { 32 | throw new RuntimeException(e); 33 | } 34 | } 35 | 36 | public static byte[] contentOf(String filename) { 37 | try { 38 | return IOUtils.toByteArray(asStream(filename)); 39 | } catch (IOException e) { 40 | throw new RuntimeException(e); 41 | } 42 | } 43 | 44 | public static ResultFile resultFileWithoutLineBreaksOf(String filename) { 45 | try { 46 | return new ResultFile(filename, contentWithoutLineBreaksOf(filename)); 47 | } catch (IOException e) { 48 | throw new RuntimeException(e); 49 | } 50 | } 51 | 52 | public static String contentWithoutLineBreaksOf(String filename) { 53 | try { 54 | return IOUtils.toString(asStream(filename), Charset.defaultCharset()) 55 | .replace('\n', ' '); 56 | } catch (IOException e) { 57 | throw new RuntimeException(e); 58 | } 59 | } 60 | 61 | private static InputStream asStream(String filename) { 62 | InputStream stream = TestHelper.class.getClassLoader().getResourceAsStream(filename); 63 | if (stream == null) { 64 | System.out.println("TEST ERROR: Test file: " + filename + " does not exist"); 65 | } 66 | return Objects.requireNonNull(stream); 67 | } 68 | } 69 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/builder/TestSuiteResultsBuilder.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2024 17 | */ 18 | package org.owasp.benchmarkutils.score.builder; 19 | 20 | import org.owasp.benchmarkutils.score.TestSuiteResults; 21 | 22 | public class TestSuiteResultsBuilder { 23 | 24 | private String toolname = "Super Tool"; 25 | private boolean isCommercial = false; 26 | private TestSuiteResults.ToolType toolType = TestSuiteResults.ToolType.SAST; 27 | private String version = "47.11"; 28 | private String testSuiteVersion = "1.2"; 29 | 30 | private TestSuiteResultsBuilder() {} 31 | 32 | public static TestSuiteResultsBuilder builder() { 33 | return new TestSuiteResultsBuilder(); 34 | } 35 | 36 | public TestSuiteResultsBuilder setToolname(String toolname) { 37 | this.toolname = toolname; 38 | 39 | return this; 40 | } 41 | 42 | public TestSuiteResultsBuilder setIsCommercial(boolean isCommercial) { 43 | this.isCommercial = isCommercial; 44 | 45 | return this; 46 | } 47 | 48 | public TestSuiteResultsBuilder setToolType(TestSuiteResults.ToolType toolType) { 49 | this.toolType = toolType; 50 | 51 | return this; 52 | } 53 | 54 | public TestSuiteResultsBuilder setToolVersion(String version) { 55 | this.version = version; 56 | 57 | return this; 58 | } 59 | 60 | public TestSuiteResults build() { 61 | TestSuiteResults testSuiteResults = new TestSuiteResults(toolname, isCommercial, toolType); 62 | 63 | testSuiteResults.setToolVersion(version); 64 | testSuiteResults.setTestSuiteVersion(testSuiteVersion); 65 | 66 | return testSuiteResults; 67 | } 68 | 69 | public TestSuiteResultsBuilder setTestSuiteVersion(String testSuiteVersion) { 70 | this.testSuiteVersion = testSuiteVersion; 71 | 72 | return this; 73 | } 74 | } 75 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/builder/ToolBuilder.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2024 17 | */ 18 | package org.owasp.benchmarkutils.score.builder; 19 | 20 | import java.util.HashMap; 21 | import java.util.Map; 22 | import org.owasp.benchmarkutils.score.TP_FN_TN_FP_Counts; 23 | import org.owasp.benchmarkutils.score.TestSuiteResults; 24 | import org.owasp.benchmarkutils.score.Tool; 25 | import org.owasp.benchmarkutils.score.ToolResults; 26 | 27 | public class ToolBuilder { 28 | 29 | private TestSuiteResults testSuiteResults = TestSuiteResultsBuilder.builder().build(); 30 | private Map scores = new HashMap<>(); 31 | private ToolResults toolResults = new ToolResults(); 32 | private String actualCsvResultFileName = ""; 33 | private boolean isCommercial = false; 34 | 35 | private ToolBuilder() {} 36 | 37 | public static ToolBuilder builder() { 38 | return new ToolBuilder(); 39 | } 40 | 41 | public ToolBuilder setTestSuiteResults(TestSuiteResults testSuiteResults) { 42 | this.testSuiteResults = testSuiteResults; 43 | 44 | return this; 45 | } 46 | 47 | public ToolBuilder setScores(Map scores) { 48 | this.scores = scores; 49 | 50 | return this; 51 | } 52 | 53 | public ToolBuilder putScore(String key, TP_FN_TN_FP_Counts value) { 54 | this.scores.put(key, value); 55 | 56 | return this; 57 | } 58 | 59 | public ToolBuilder setToolResults(ToolResults toolResults) { 60 | this.toolResults = toolResults; 61 | 62 | return this; 63 | } 64 | 65 | public ToolBuilder setActualCsvResultFileName(String actualCsvResultFileName) { 66 | this.actualCsvResultFileName = actualCsvResultFileName; 67 | 68 | return this; 69 | } 70 | 71 | public ToolBuilder setIsCommercial(boolean isCommercial) { 72 | this.isCommercial = isCommercial; 73 | 74 | return this; 75 | } 76 | 77 | public Tool build() { 78 | return new Tool( 79 | testSuiteResults, scores, toolResults, actualCsvResultFileName, isCommercial); 80 | } 81 | } 82 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/builder/ToolResultsBuilder.java: -------------------------------------------------------------------------------- 1 | package org.owasp.benchmarkutils.score.builder; 2 | 3 | import java.util.HashSet; 4 | import java.util.Set; 5 | import org.owasp.benchmarkutils.score.CategoryResults; 6 | import org.owasp.benchmarkutils.score.ToolResults; 7 | 8 | public class ToolResultsBuilder { 9 | 10 | private Set categoryResults = new HashSet<>(); 11 | private double truePositiveRate = 0; 12 | private double falsePositiveRate = 0; 13 | private double precision = 0; 14 | 15 | private ToolResultsBuilder() {} 16 | 17 | public static ToolResultsBuilder builder() { 18 | return new ToolResultsBuilder(); 19 | } 20 | 21 | public ToolResults build() { 22 | ToolResults results = new ToolResults(); 23 | 24 | results.setTruePositiveRate(truePositiveRate); 25 | results.setFalsePositiveRate(falsePositiveRate); 26 | results.setPrecision(precision); 27 | 28 | categoryResults.forEach( 29 | cr -> 30 | results.add( 31 | cr.category, 32 | cr.precision, 33 | cr.truePositiveRate, 34 | cr.falsePositiveRate, 35 | cr.totalTestCases)); 36 | 37 | return results; 38 | } 39 | 40 | public ToolResultsBuilder setCategoryResults(Set categoryResultsMap) { 41 | this.categoryResults = categoryResultsMap; 42 | 43 | return this; 44 | } 45 | 46 | public ToolResultsBuilder addCategoryResult(CategoryResults result) { 47 | this.categoryResults.add(result); 48 | 49 | return this; 50 | } 51 | 52 | public ToolResultsBuilder setTruePositiveRate(double truePositiveRate) { 53 | this.truePositiveRate = truePositiveRate; 54 | 55 | return this; 56 | } 57 | 58 | public ToolResultsBuilder setFalsePositiveRate(double falsePositiveRate) { 59 | this.falsePositiveRate = falsePositiveRate; 60 | 61 | return this; 62 | } 63 | 64 | public ToolResultsBuilder setPrecision(double precision) { 65 | this.precision = precision; 66 | 67 | return this; 68 | } 69 | } 70 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/domain/TestSuiteNameTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2024 17 | */ 18 | package org.owasp.benchmarkutils.score.domain; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | 22 | import org.junit.jupiter.api.Test; 23 | 24 | class TestSuiteNameTest { 25 | 26 | @Test 27 | void returnsSimpleName() { 28 | assertEquals("SimpleName", new TestSuiteName("SimpleName").simpleName()); 29 | assertEquals("Benchmark", new TestSuiteName("Benchmark").simpleName()); 30 | } 31 | 32 | @Test 33 | void returnsFixedFullNameForBenchmark() { 34 | assertEquals("OWASP Benchmark", new TestSuiteName("Benchmark").fullName()); 35 | } 36 | 37 | @Test 38 | void returnsSimpleNameForFullNameWhenNotBenchmark() { 39 | assertEquals("SimpleName", new TestSuiteName("SimpleName").fullName()); 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/ArachniReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertFalse; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class ArachniReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_Arachni-v2.0dev.xml"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyArachniReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, ArachniReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | ArachniReader reader = new ArachniReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.DAST, result.getToolType()); 52 | assertFalse(result.isCommercial()); 53 | assertEquals("Arachni", result.getToolName()); 54 | 55 | assertEquals(2, result.getTotalResults()); 56 | 57 | assertEquals(CweNumber.XSS, result.get(1).get(0).getCWE()); 58 | assertEquals(CweNumber.XSS, result.get(2).get(0).getCWE()); 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/BearerReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Cédric Fabianski 16 | * @created 2023 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertFalse; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class BearerReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFileV1_30; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFileV1_30 = TestHelper.resultFileOf("testfiles/Benchmark_Bearer-v1.30.0.jsonv2"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyBearerReaderReportsCanReadAsTrueForV1_30() { 43 | assertOnlyMatcherClassIs(this.resultFileV1_30, BearerReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFileInV1_30() throws Exception { 48 | BearerReader reader = new BearerReader(); 49 | TestSuiteResults result = reader.parse(resultFileV1_30); 50 | 51 | assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); 52 | assertFalse(result.isCommercial()); 53 | assertEquals("Bearer", result.getToolName()); 54 | assertEquals("v1.30.0", result.getToolVersion()); 55 | 56 | assertEquals(3, result.getTotalResults()); 57 | 58 | assertEquals(CweNumber.COMMAND_INJECTION, result.get(7).get(0).getCWE()); 59 | assertEquals(CweNumber.WEAK_HASH_ALGO, result.get(5).get(0).getCWE()); 60 | assertEquals(CweNumber.WEAK_CRYPTO_ALGO, result.get(35).get(0).getCWE()); 61 | } 62 | } 63 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/BlackDuckReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2025 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertTrue; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class BlackDuckReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark-BlackDuck.json"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyBlackDuckReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, BlackDuckReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | BlackDuckReader reader = new BlackDuckReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); 52 | assertTrue(result.isCommercial()); 53 | assertEquals("BlackDuck", result.getToolName()); 54 | 55 | assertEquals(2, result.getTotalResults()); 56 | 57 | assertEquals(CweNumber.SQL_INJECTION, result.get(1).get(0).getCWE()); 58 | assertEquals(CweNumber.XSS, result.get(2).get(0).getCWE()); 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/BurpReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertTrue; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class BurpReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_BurpPro-v2020.2.1.xml"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyBurpReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, BurpReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | BurpReader reader = new BurpReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.DAST, result.getToolType()); 52 | assertTrue(result.isCommercial()); 53 | assertEquals("Burp Suite Pro", result.getToolName()); 54 | 55 | assertEquals(2, result.getTotalResults()); 56 | 57 | assertEquals(CweNumber.COMMAND_INJECTION, result.get(1).get(0).getCWE()); 58 | assertEquals(CweNumber.SQL_INJECTION, result.get(2).get(0).getCWE()); 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/CASTAIPReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertTrue; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class CASTAIPReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_CAST_AIP-v8.2.3.xml"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyCASTAIPReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, CASTAIPReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | CASTAIPReader reader = new CASTAIPReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); 52 | assertTrue(result.isCommercial()); 53 | assertEquals("CAST AIP", result.getToolName()); 54 | 55 | assertEquals(2, result.getTotalResults()); 56 | 57 | assertEquals(CweNumber.COMMAND_INJECTION, result.get(1).get(0).getCWE()); 58 | assertEquals(CweNumber.SQL_INJECTION, result.get(2).get(0).getCWE()); 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/CheckmarxIASTReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertTrue; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class CheckmarxIASTReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_CxIAST.csv"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyCheckmarxIASTReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, CheckmarxIASTReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | CheckmarxIASTReader reader = new CheckmarxIASTReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.IAST, result.getToolType()); 52 | assertTrue(result.isCommercial()); 53 | assertEquals("CxIAST", result.getToolName()); 54 | 55 | assertEquals(2, result.getTotalResults()); 56 | 57 | assertEquals(CweNumber.SQL_INJECTION, result.get(1).get(0).getCWE()); 58 | assertEquals(CweNumber.PATH_TRAVERSAL, result.get(2).get(0).getCWE()); 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/CheckmarxReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertTrue; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class CheckmarxReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_Checkmarx-v8.2.xml"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyCheckmarxReaderTestReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, CheckmarxReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | CheckmarxReader reader = new CheckmarxReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); 52 | assertTrue(result.isCommercial()); 53 | assertEquals("Checkmarx CxSAST", result.getToolName()); 54 | 55 | assertEquals(2, result.getTotalResults()); 56 | 57 | assertEquals(CweNumber.XSS, result.get(1).get(0).getCWE()); 58 | assertEquals(CweNumber.SQL_INJECTION, result.get(2).get(0).getCWE()); 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/DatadogReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Ander Ruiz 16 | * @created 2022 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertTrue; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class DatadogReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_1.2-Datadog.log"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyDatadogReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, DatadogReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | DatadogReader reader = new DatadogReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.IAST, result.getToolType()); 52 | assertTrue(result.isCommercial()); 53 | assertEquals("Datadog", result.getToolName()); 54 | assertEquals("0.108.0", result.getToolVersion()); 55 | 56 | assertEquals(4, result.getTotalResults()); 57 | 58 | assertEquals(CweNumber.COMMAND_INJECTION, result.get(1609).get(0).getCWE()); 59 | assertEquals(CweNumber.PATH_TRAVERSAL, result.get(2).get(0).getCWE()); 60 | assertEquals(CweNumber.WEAK_HASH_ALGO, result.get(1).get(0).getCWE()); 61 | assertEquals(CweNumber.TRUST_BOUNDARY_VIOLATION, result.get(4).get(0).getCWE()); 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/FluidAttacksReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2023 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertTrue; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class FluidAttacksReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_Fluid-Attacks-v20210416.csv"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyFluidReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, FluidAttacksReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | FluidAttacksReader reader = new FluidAttacksReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); 52 | assertTrue(result.isCommercial()); 53 | assertEquals("Fluid Attacks", result.getToolName()); 54 | 55 | assertEquals(2, result.getTotalResults()); 56 | 57 | assertEquals(CweNumber.SQL_INJECTION, result.get(1).get(0).getCWE()); 58 | assertEquals(CweNumber.COMMAND_INJECTION, result.get(2).get(0).getCWE()); 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/FortifyReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertTrue; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class FortifyReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_Fortify20.20_2020Q1-1234.fpr"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyFortifyReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, FortifyReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | FortifyReader reader = new FortifyReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); 52 | assertTrue(result.isCommercial()); 53 | assertEquals("Fortify", result.getToolName()); 54 | assertEquals("0:20:34", result.getTime()); 55 | 56 | assertEquals(2, result.getTotalResults()); 57 | 58 | assertEquals(CweNumber.COMMAND_INJECTION, result.get(1).get(0).getCWE()); 59 | assertEquals(CweNumber.SQL_INJECTION, result.get(2).get(0).getCWE()); 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertTrue; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class HCLAppScanIASTReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_HCL-IAST.hcl"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyHCLReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, HCLAppScanIASTReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | HCLAppScanIASTReader reader = new HCLAppScanIASTReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.IAST, result.getToolType()); 52 | assertTrue(result.isCommercial()); 53 | assertEquals("HCL AppScan IAST", result.getToolName()); 54 | 55 | assertEquals(2, result.getTotalResults()); 56 | 57 | assertEquals(CweNumber.PATH_TRAVERSAL, result.get(1).get(0).getCWE()); 58 | assertEquals(CweNumber.SQL_INJECTION, result.get(2).get(0).getCWE()); 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanSourceReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2023 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertTrue; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class HCLAppScanSourceReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_HCLAppScanSource-2.4.xml"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyHCLAppScanSourceReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, HCLAppScanSourceReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | HCLAppScanSourceReader reader = new HCLAppScanSourceReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); 52 | assertTrue(result.isCommercial()); 53 | assertEquals("HCL AppScan Cloud", result.getToolName()); 54 | 55 | assertEquals(2, result.getTotalResults()); 56 | 57 | assertEquals(CweNumber.PATH_TRAVERSAL, result.get(1).get(0).getCWE()); 58 | assertEquals(CweNumber.SQL_INJECTION, result.get(2).get(0).getCWE()); 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanStandardReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertTrue; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class HCLAppScanStandardReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = 38 | TestHelper.resultFileOf("testfiles/Benchmark_HCLAppScanStandardReader-v10.0.6.xml"); 39 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 40 | } 41 | 42 | @Test 43 | public void onlyHCLAppScanStandardReaderReportsCanReadAsTrue() { 44 | assertOnlyMatcherClassIs(this.resultFile, HCLAppScanStandardReader.class); 45 | } 46 | 47 | @Test 48 | void readerHandlesGivenV10ResultFile() throws Exception { 49 | HCLAppScanStandardReader reader = new HCLAppScanStandardReader(); 50 | TestSuiteResults result = reader.parse(resultFile); 51 | 52 | assertEquals(TestSuiteResults.ToolType.DAST, result.getToolType()); 53 | assertTrue(result.isCommercial()); 54 | assertEquals("HCL AppScan Standard", result.getToolName()); 55 | assertEquals("10.0.6", result.getToolVersion()); 56 | 57 | assertEquals(4, result.getTotalResults()); 58 | 59 | assertEquals(CweNumber.SQL_INJECTION, result.get(1).get(0).getCWE()); 60 | assertEquals(CweNumber.SQL_INJECTION, result.get(2).get(0).getCWE()); 61 | assertEquals(CweNumber.INSECURE_COOKIE, result.get(300).get(0).getCWE()); 62 | assertEquals(CweNumber.INSECURE_COOKIE, result.get(348).get(0).getCWE()); 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/HorusecReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertFalse; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class HorusecReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_horusec-v2.5.0.json"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyHorusecReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, HorusecReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | HorusecReader reader = new HorusecReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); 52 | assertFalse(result.isCommercial()); 53 | assertEquals("Horusec", result.getToolName()); 54 | assertEquals("1:23:45", result.getTime()); 55 | assertEquals("v2.5.0", result.getToolVersion()); 56 | 57 | assertEquals(2, result.getTotalResults()); 58 | 59 | assertEquals(CweNumber.XSS, result.get(1).get(0).getCWE()); 60 | assertEquals(CweNumber.SQL_INJECTION, result.get(2).get(0).getCWE()); 61 | } 62 | } 63 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/InsiderReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertFalse; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class InsiderReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_insider-v3.0.0.json"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyInsiderReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, InsiderReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | InsiderReader reader = new InsiderReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); 52 | assertFalse(result.isCommercial()); 53 | assertEquals("Insider", result.getToolName()); 54 | 55 | assertEquals(2, result.getTotalResults()); 56 | 57 | assertEquals(CweNumber.COMMAND_INJECTION, result.get(1).get(0).getCWE()); 58 | assertEquals(CweNumber.WEAK_CRYPTO_ALGO, result.get(2).get(0).getCWE()); 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/JuliaReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertTrue; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class JuliaReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_JuliaSoft-v2.3.2.1.xml"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyJuliaReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, JuliaReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | JuliaReader reader = new JuliaReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); 52 | assertTrue(result.isCommercial()); 53 | assertEquals("Julia", result.getToolName()); 54 | 55 | assertEquals(2, result.getTotalResults()); 56 | 57 | assertEquals(CweNumber.INSECURE_COOKIE, result.get(1).get(0).getCWE()); 58 | assertEquals(CweNumber.WEAK_CRYPTO_ALGO, result.get(2).get(0).getCWE()); 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/KiuwanReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertTrue; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class KiuwanReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_Kiuwan-20191012.threadfix"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyKiuwanReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, KiuwanReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | KiuwanReader reader = new KiuwanReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); 52 | assertTrue(result.isCommercial()); 53 | assertEquals("Kiuwan", result.getToolName()); 54 | assertEquals("some.version", result.getToolVersion()); 55 | assertEquals("01:23:45", result.getTime()); 56 | 57 | assertEquals(2, result.getTotalResults()); 58 | 59 | assertEquals(CweNumber.XSS, result.get(1).get(0).getCWE()); 60 | assertEquals(CweNumber.SQL_INJECTION, result.get(2).get(0).getCWE()); 61 | } 62 | } 63 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/KlocworkCSVReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Dave Wichers 16 | * @created 2022 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertTrue; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class KlocworkCSVReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_Klocwork.csv"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyKlocworkCSVReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, KlocworkCSVReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | KlocworkCSVReader reader = new KlocworkCSVReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); 52 | assertTrue(result.isCommercial()); 53 | assertEquals("Klocwork", result.getToolName()); 54 | 55 | assertEquals(2, result.getTotalResults()); 56 | 57 | assertEquals(CweNumber.SQL_INJECTION, result.get(1).get(0).getCWE()); 58 | assertEquals(CweNumber.PATH_TRAVERSAL, result.get(2).get(0).getCWE()); 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/MendReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2022 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertTrue; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class MendReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_Mend.xml"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyMendReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, MendReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | MendReader reader = new MendReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); 52 | assertTrue(result.isCommercial()); 53 | assertEquals("Mend", result.getToolName()); 54 | assertEquals("01:23:45", result.getTime()); 55 | 56 | assertEquals(2, result.getTotalResults()); 57 | 58 | assertEquals(CweNumber.SQL_INJECTION, result.get(1).get(0).getCWE()); 59 | assertEquals(CweNumber.COMMAND_INJECTION, result.get(2).get(0).getCWE()); 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/NetsparkerReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertTrue; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class NetsparkerReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_Netsparker.xml"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyNetsparkerReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, NetsparkerReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | NetsparkerReader reader = new NetsparkerReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.DAST, result.getToolType()); 52 | assertTrue(result.isCommercial()); 53 | assertEquals("Netsparker", result.getToolName()); 54 | 55 | assertEquals(2, result.getTotalResults()); 56 | 57 | assertEquals(CweNumber.INSECURE_COOKIE, result.get(1).get(0).getCWE()); 58 | assertEquals(CweNumber.COOKIE_WITHOUT_HTTPONLY, result.get(2).get(0).getCWE()); 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/ParasoftReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertTrue; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class ParasoftReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_ParasoftJTest-v10.2.3.xml"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyParasoftReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, ParasoftReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | ParasoftReader reader = new ParasoftReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); 52 | assertTrue(result.isCommercial()); 53 | assertEquals("Parasoft Jtest", result.getToolName()); 54 | assertEquals("0:12:34", result.getTime()); 55 | 56 | assertEquals(2, result.getTotalResults()); 57 | 58 | assertEquals(CweNumber.PATH_TRAVERSAL, result.get(1).get(0).getCWE()); 59 | assertEquals(CweNumber.XSS, result.get(2).get(0).getCWE()); 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/Rapid7ReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2022 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertTrue; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class Rapid7ReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_AppSpider-v7.2.119-1234.xml"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyZapReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, Rapid7Reader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | Rapid7Reader reader = new Rapid7Reader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.DAST, result.getToolType()); 52 | assertTrue(result.isCommercial()); 53 | assertEquals("Rapid7 AppSpider", result.getToolName()); 54 | assertEquals("7.2.119.1", result.getToolVersion()); 55 | assertEquals("0:12:34", result.getTime()); 56 | 57 | assertEquals(2, result.getTotalResults()); 58 | 59 | assertEquals(CweNumber.SQL_INJECTION, result.get(1).get(0).getCWE()); 60 | assertEquals(CweNumber.COMMAND_INJECTION, result.get(2).get(0).getCWE()); 61 | } 62 | } 63 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/ReaderTestBase.java: -------------------------------------------------------------------------------- 1 | package org.owasp.benchmarkutils.score.parsers; 2 | 3 | import static java.util.Collections.singletonList; 4 | import static org.junit.jupiter.api.Assertions.assertEquals; 5 | import static org.junit.jupiter.api.Assertions.assertTrue; 6 | 7 | import java.util.List; 8 | import java.util.stream.Collectors; 9 | import org.junit.jupiter.api.Test; 10 | import org.owasp.benchmarkutils.score.ResultFile; 11 | 12 | public abstract class ReaderTestBase { 13 | 14 | // This list is used in the next test 15 | private static final List THE_READERS = Reader.allReaders(); 16 | 17 | @Test 18 | public void assertReaderIsInReaderAllReadersList() { 19 | boolean readerInList = false; 20 | String thisReaderName = this.getClass().getSimpleName(); // This gets ReaderNameTEST 21 | thisReaderName = thisReaderName.substring(0, thisReaderName.length() - "TEST".length()); 22 | for (Reader reader : THE_READERS) { 23 | if (reader.getClass().getSimpleName().equals(thisReaderName)) { 24 | readerInList = true; 25 | break; 26 | } 27 | } 28 | assertTrue( 29 | readerInList, 30 | "Reader " + thisReaderName + " must be added to Reader.allReaders() list"); 31 | } 32 | 33 | protected void assertOnlyMatcherClassIs(ResultFile resultFile, Class c) { 34 | List> readers = 35 | Reader.allReaders().stream() 36 | .filter(r -> r.canRead(resultFile)) 37 | .map(Reader::getClass) 38 | .collect(Collectors.toList()); 39 | 40 | assertEquals(simpleNames(singletonList(c)), simpleNames(readers)); 41 | 42 | assertTrue(readers.get(0).isAssignableFrom(c)); 43 | } 44 | 45 | private List simpleNames(List> classList) { 46 | return classList.stream().map(Class::getSimpleName).collect(Collectors.toList()); 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/ScnrReaderTest.java: -------------------------------------------------------------------------------- 1 | package org.owasp.benchmarkutils.score.parsers; 2 | 3 | import static org.junit.jupiter.api.Assertions.assertEquals; 4 | import static org.junit.jupiter.api.Assertions.assertTrue; 5 | 6 | import org.junit.jupiter.api.BeforeEach; 7 | import org.junit.jupiter.api.Test; 8 | import org.owasp.benchmarkutils.score.BenchmarkScore; 9 | import org.owasp.benchmarkutils.score.CweNumber; 10 | import org.owasp.benchmarkutils.score.ResultFile; 11 | import org.owasp.benchmarkutils.score.TestHelper; 12 | import org.owasp.benchmarkutils.score.TestSuiteResults; 13 | 14 | public class ScnrReaderTest extends ReaderTestBase { 15 | 16 | private ResultFile jsonResultFile; 17 | private ResultFile xmlResultFile; 18 | 19 | @BeforeEach 20 | void setUp() { 21 | jsonResultFile = TestHelper.resultFileOf("testfiles/Benchmark_SCNR.json"); 22 | xmlResultFile = TestHelper.resultFileOf("testfiles/Benchmark_SCNR.xml"); 23 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 24 | } 25 | 26 | @Test 27 | public void onlyScnrReaderReportsCanReadAsTrueForJsonFile() { 28 | assertOnlyMatcherClassIs(this.jsonResultFile, ScnrReader.class); 29 | } 30 | 31 | @Test 32 | public void onlyScnrReaderReportsCanReadAsTrueForXmlFile() { 33 | assertOnlyMatcherClassIs(this.xmlResultFile, ScnrReader.class); 34 | } 35 | 36 | @Test 37 | void readerHandlesGivenJsonResultFile() throws Exception { 38 | ScnrReader reader = new ScnrReader(); 39 | TestSuiteResults result = reader.parse(jsonResultFile); 40 | 41 | assertToolData(result); 42 | 43 | assertEquals(2, result.getTotalResults()); 44 | 45 | assertEquals(CweNumber.SQL_INJECTION, result.get(1).get(0).getCWE()); 46 | assertEquals(CweNumber.XSS, result.get(2).get(0).getCWE()); 47 | } 48 | 49 | private static void assertToolData(TestSuiteResults result) { 50 | assertEquals(TestSuiteResults.ToolType.DAST, result.getToolType()); 51 | assertTrue(result.isCommercial()); 52 | assertEquals("SCNR", result.getToolName()); 53 | assertEquals("1.0dev", result.getToolVersion()); 54 | assertEquals("12:34:56", result.getTime()); 55 | } 56 | 57 | @Test 58 | void readerHandlesGivenXmlResultFile() throws Exception { 59 | ScnrReader reader = new ScnrReader(); 60 | TestSuiteResults result = reader.parse(xmlResultFile); 61 | 62 | assertToolData(result); 63 | 64 | assertEquals(2, result.getTotalResults()); 65 | 66 | assertEquals(CweNumber.COMMAND_INJECTION, result.get(1).get(0).getCWE()); 67 | assertEquals(CweNumber.SQL_INJECTION, result.get(2).get(0).getCWE()); 68 | } 69 | } 70 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/SeekerReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2022 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertTrue; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class SeekerReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_Seeker.csv"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlySeekerReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, SeekerReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | SeekerReader reader = new SeekerReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.IAST, result.getToolType()); 52 | assertTrue(result.isCommercial()); 53 | assertEquals("Seeker", result.getToolName()); 54 | 55 | assertEquals(2, result.getTotalResults()); 56 | 57 | assertEquals(CweNumber.COMMAND_INJECTION, result.get(1).get(0).getCWE()); 58 | assertEquals(CweNumber.TRUST_BOUNDARY_VIOLATION, result.get(2).get(0).getCWE()); 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/ShiftLeftScanReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertFalse; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class ShiftLeftScanReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_shiftleftscan-v2.0.3.json"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyShiftLeftScanReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, ShiftLeftScanReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | ShiftLeftScanReader reader = new ShiftLeftScanReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); 52 | assertFalse(result.isCommercial()); 53 | assertEquals("ShiftLeft Scan", result.getToolName()); 54 | 55 | assertEquals(2, result.getTotalResults()); 56 | 57 | assertEquals(CweNumber.COOKIE_WITHOUT_HTTPONLY, result.get(1).get(0).getCWE()); 58 | assertEquals(CweNumber.PATH_TRAVERSAL, result.get(2).get(0).getCWE()); 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/SonarQubeReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertFalse; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class SonarQubeReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile pluginResultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | pluginResultFile = 38 | TestHelper.resultFileOf("testfiles/Benchmark_sonar-Java-Plugin-v3.14-1234.xml"); 39 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 40 | } 41 | 42 | @Test 43 | public void onlySonarQubeReaderReportsCanReadAsTrueForPluginResultFile() { 44 | assertOnlyMatcherClassIs(this.pluginResultFile, SonarQubeReader.class); 45 | } 46 | 47 | @Test 48 | void readerHandlesGivenPluginResultFile() throws Exception { 49 | SonarQubeReader reader = new SonarQubeReader(); 50 | TestSuiteResults result = reader.parse(pluginResultFile); 51 | 52 | assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); 53 | assertFalse(result.isCommercial()); 54 | assertEquals("SonarQube Java Plugin", result.getToolName()); 55 | assertEquals("0:20:34", result.getTime()); 56 | 57 | assertEquals(2, result.getTotalResults()); 58 | 59 | assertEquals(CweNumber.COMMAND_INJECTION, result.get(1).get(0).getCWE()); 60 | assertEquals(CweNumber.WEAK_RANDOM, result.get(2).get(0).getCWE()); 61 | } 62 | } 63 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/ThunderScanReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2022 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertTrue; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class ThunderScanReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_ThunderScan.xml"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyZapReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, ThunderScanReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | ThunderScanReader reader = new ThunderScanReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); 52 | assertTrue(result.isCommercial()); 53 | assertEquals("ThunderScan", result.getToolName()); 54 | 55 | assertEquals(2, result.getTotalResults()); 56 | 57 | assertEquals(CweNumber.SQL_INJECTION, result.get(1).get(0).getCWE()); 58 | assertEquals(CweNumber.XPATH_INJECTION, result.get(2).get(0).getCWE()); 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/VeracodeReaderTest.java: -------------------------------------------------------------------------------- 1 | package org.owasp.benchmarkutils.score.parsers; 2 | 3 | import org.junit.jupiter.api.BeforeEach; 4 | import org.junit.jupiter.api.Test; 5 | import org.owasp.benchmarkutils.score.*; 6 | 7 | import static org.junit.jupiter.api.Assertions.assertEquals; 8 | import static org.junit.jupiter.api.Assertions.assertTrue; 9 | 10 | class VeracodeReaderTest extends ReaderTestBase { 11 | 12 | private ResultFile resultFile; 13 | 14 | @BeforeEach 15 | void setUp() { 16 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_Veracode.xml"); 17 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 18 | } 19 | 20 | @Test 21 | void onlyVeracodeReportCanReadAsTrue() { 22 | assertOnlyMatcherClassIs(this.resultFile, VeracodeReader.class); 23 | } 24 | 25 | @Test 26 | void readerHandlesGivenResultFile() throws Exception { 27 | VeracodeReader reader = new VeracodeReader(); 28 | TestSuiteResults result = reader.parse(resultFile); 29 | 30 | assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); 31 | assertTrue(result.isCommercial()); 32 | assertEquals("Veracode SAST", result.getToolName()); 33 | 34 | assertEquals(3, result.getTotalResults()); 35 | 36 | assertEquals(CweNumber.COMMAND_INJECTION, result.get(7).get(0).getCWE()); 37 | assertEquals(CweNumber.SQL_INJECTION, result.get(8).get(0).getCWE()); 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/VisualCodeGrepperReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertFalse; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class VisualCodeGrepperReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_visualcodegrepper-v2.2.0.xml"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyFindbugsReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, VisualCodeGrepperReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | VisualCodeGrepperReader reader = new VisualCodeGrepperReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); 52 | assertFalse(result.isCommercial()); 53 | assertEquals("VisualCodeGrepper", result.getToolName()); 54 | 55 | assertEquals(2, result.getTotalResults()); 56 | 57 | assertEquals(CweNumber.SQL_INJECTION, result.get(1).get(0).getCWE()); 58 | assertEquals(CweNumber.XSS, result.get(2).get(0).getCWE()); 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/W3AFReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertFalse; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class W3AFReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_w3af-v1.7.6.xml"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyW3AFReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, W3AFReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | W3AFReader reader = new W3AFReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.DAST, result.getToolType()); 52 | assertFalse(result.isCommercial()); 53 | assertEquals("W3AF", result.getToolName()); 54 | 55 | assertEquals(2, result.getTotalResults()); 56 | 57 | assertEquals(CweNumber.XSS, result.get(1).get(0).getCWE()); 58 | assertEquals(CweNumber.XSS, result.get(2).get(0).getCWE()); 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/WapitiJsonReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertFalse; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class WapitiJsonReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_Wapiti-v3.0.5.json"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyWapitiJsonReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, WapitiJsonReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | WapitiJsonReader reader = new WapitiJsonReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.DAST, result.getToolType()); 52 | assertFalse(result.isCommercial()); 53 | assertEquals("Wapiti", result.getToolName()); 54 | 55 | assertEquals(2, result.getTotalResults()); 56 | 57 | assertEquals(CweNumber.COMMAND_INJECTION, result.get(1).get(0).getCWE()); 58 | assertEquals(CweNumber.PATH_TRAVERSAL, result.get(2).get(0).getCWE()); 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/WapitiReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertFalse; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class WapitiReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_Wapiti-v3.0.3.xml"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyWapitiReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, WapitiReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | WapitiReader reader = new WapitiReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.DAST, result.getToolType()); 52 | assertFalse(result.isCommercial()); 53 | assertEquals("Wapiti", result.getToolName()); 54 | 55 | assertEquals(2, result.getTotalResults()); 56 | 57 | assertEquals(CweNumber.SQL_INJECTION, result.get(1).get(0).getCWE()); 58 | assertEquals(CweNumber.COMMAND_INJECTION, result.get(2).get(0).getCWE()); 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/ZapReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2021 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertFalse; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | 31 | public class ZapReaderTest extends ReaderTestBase { 32 | 33 | private ResultFile resultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_ZAP_WEEKLY.xml"); 38 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 39 | } 40 | 41 | @Test 42 | public void onlyZapReaderReportsCanReadAsTrue() { 43 | assertOnlyMatcherClassIs(this.resultFile, ZapReader.class); 44 | } 45 | 46 | @Test 47 | void readerHandlesGivenResultFile() throws Exception { 48 | ZapReader reader = new ZapReader(); 49 | TestSuiteResults result = reader.parse(resultFile); 50 | 51 | assertEquals(TestSuiteResults.ToolType.DAST, result.getToolType()); 52 | assertFalse(result.isCommercial()); 53 | assertEquals("OWASP ZAP", result.getToolName()); 54 | 55 | assertEquals(2, result.getTotalResults()); 56 | 57 | assertEquals(CweNumber.XSS, result.get(1).get(0).getCWE()); 58 | assertEquals(CweNumber.SQL_INJECTION, result.get(2).get(0).getCWE()); 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/csv/WhiteHatDynamicReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2024 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers.csv; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertTrue; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | import org.owasp.benchmarkutils.score.parsers.ReaderTestBase; 31 | 32 | public class WhiteHatDynamicReaderTest extends ReaderTestBase { 33 | 34 | private ResultFile resultFile; 35 | 36 | @BeforeEach 37 | void setUp() { 38 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_WhiteHat.csv"); 39 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 40 | } 41 | 42 | @Test 43 | public void onlyWhiteHatDynamicReaderReportsCanReadAsTrue() { 44 | assertOnlyMatcherClassIs(this.resultFile, WhiteHatDynamicReader.class); 45 | } 46 | 47 | @Test 48 | void readerHandlesGivenResultFile() throws Exception { 49 | WhiteHatDynamicReader reader = new WhiteHatDynamicReader(); 50 | TestSuiteResults result = reader.parse(resultFile); 51 | 52 | assertEquals(TestSuiteResults.ToolType.DAST, result.getToolType()); 53 | assertTrue(result.isCommercial()); 54 | assertEquals("WhiteHat Dynamic", result.getToolName()); 55 | 56 | assertEquals(2, result.getTotalResults()); 57 | 58 | assertEquals(CweNumber.COMMAND_INJECTION, result.get(1).get(0).getCWE()); 59 | assertEquals(CweNumber.XSS, result.get(2).get(0).getCWE()); 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/ContrastScanReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2022 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers.sarif; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertNull; 22 | import static org.junit.jupiter.api.Assertions.assertTrue; 23 | 24 | import org.junit.jupiter.api.BeforeEach; 25 | import org.junit.jupiter.api.Test; 26 | import org.owasp.benchmarkutils.score.BenchmarkScore; 27 | import org.owasp.benchmarkutils.score.CweNumber; 28 | import org.owasp.benchmarkutils.score.ResultFile; 29 | import org.owasp.benchmarkutils.score.TestHelper; 30 | import org.owasp.benchmarkutils.score.TestSuiteResults; 31 | import org.owasp.benchmarkutils.score.parsers.ReaderTestBase; 32 | 33 | public class ContrastScanReaderTest extends ReaderTestBase { 34 | 35 | private ResultFile resultFile; 36 | 37 | @BeforeEach 38 | void setUp() { 39 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_Contrast_3.9.0.sarif.json"); 40 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 41 | } 42 | 43 | @Test 44 | public void onlyContrastJsonReaderReportsCanReadAsTrue() { 45 | assertOnlyMatcherClassIs(this.resultFile, ContrastScanReader.class); 46 | } 47 | 48 | @Test 49 | void readerHandlesGivenResultFile() throws Exception { 50 | ContrastScanReader reader = new ContrastScanReader(); 51 | TestSuiteResults result = reader.parse(resultFile); 52 | 53 | assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); 54 | assertTrue(result.isCommercial()); 55 | assertEquals("Contrast Scan", result.getToolName()); 56 | assertNull(result.getToolVersion()); 57 | assertEquals("22:22:22", result.getTime()); 58 | 59 | assertEquals(2, result.getTotalResults()); 60 | 61 | assertEquals(CweNumber.COMMAND_INJECTION, result.get(1).get(0).getCWE()); 62 | assertEquals(CweNumber.INSECURE_COOKIE, result.get(2).get(0).getCWE()); 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/DatadogSastReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Julien Delange 16 | * @created 2024 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers.sarif; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertFalse; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | import org.owasp.benchmarkutils.score.parsers.ReaderTestBase; 31 | 32 | public class DatadogSastReaderTest extends ReaderTestBase { 33 | 34 | private ResultFile resultFile; 35 | 36 | @BeforeEach 37 | void setUp() { 38 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_DatadogSast.sarif"); 39 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 40 | } 41 | 42 | @Test 43 | public void canReadFile() { 44 | assertOnlyMatcherClassIs(this.resultFile, DatadogSastReader.class); 45 | } 46 | 47 | @Test 48 | void readerHandlesGivenResultFile() throws Exception { 49 | DatadogSastReader reader = new DatadogSastReader(); 50 | TestSuiteResults result = reader.parse(resultFile); 51 | 52 | assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); 53 | assertEquals("DatadogSast", result.getToolName()); 54 | assertEquals("0.2.9", result.getToolVersion()); 55 | assertFalse(result.isCommercial()); 56 | 57 | assertEquals(1, result.getTotalResults()); 58 | 59 | assertEquals(CweNumber.INSECURE_COOKIE, result.get(10).get(0).getCWE()); 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Alexey Zhukov 16 | * @created 2024 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers.sarif; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | 22 | import org.junit.jupiter.api.BeforeEach; 23 | import org.junit.jupiter.api.Test; 24 | import org.owasp.benchmarkutils.score.*; 25 | import org.owasp.benchmarkutils.score.parsers.ReaderTestBase; 26 | 27 | public class PTAIReaderTest extends ReaderTestBase { 28 | 29 | private ResultFile resultFile; 30 | 31 | @BeforeEach 32 | void setUp() { 33 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_PTAI-v4.7.2.sarif"); 34 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 35 | } 36 | 37 | @Test 38 | public void onlyPTAIReaderTestReportsCanReadAsTrue() { 39 | assertOnlyMatcherClassIs(this.resultFile, PTAIReader.class); 40 | } 41 | 42 | @Test 43 | void readerHandlesGivenResultFile() throws Exception { 44 | PTAIReader reader = new PTAIReader(); 45 | TestSuiteResults result = reader.parse(resultFile); 46 | 47 | assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); 48 | 49 | assertEquals("PT Application Inspector", result.getToolName()); 50 | assertEquals("4.7.2", result.getToolVersion()); 51 | 52 | assertEquals(2, result.getTotalResults()); 53 | 54 | assertEquals(CweNumber.PATH_TRAVERSAL, result.get(1).get(0).getCWE()); 55 | assertEquals(CweNumber.SQL_INJECTION, result.get(8).get(0).getCWE()); 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/PrecautionReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Eric Brown 16 | * @created 2024 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers.sarif; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertFalse; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | import org.owasp.benchmarkutils.score.parsers.ReaderTestBase; 31 | import org.owasp.benchmarkutils.score.parsers.sarif.PrecautionReader; 32 | 33 | class PrecautionReaderTest extends ReaderTestBase { 34 | 35 | private ResultFile resultFile; 36 | 37 | @BeforeEach 38 | void setUp() { 39 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_Precaution.sarif"); 40 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 41 | } 42 | 43 | @Test 44 | public void onlyPrecautionReportsCanReadAsTrue() { 45 | assertOnlyMatcherClassIs(this.resultFile, PrecautionReader.class); 46 | } 47 | 48 | @Test 49 | void readerHandlesGivenResultFile() throws Exception { 50 | PrecautionReader reader = new PrecautionReader(); 51 | TestSuiteResults result = reader.parse(resultFile); 52 | 53 | assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); 54 | assertFalse(result.isCommercial()); 55 | assertEquals("Precaution", result.getToolName()); 56 | assertEquals("0.5.0", result.getToolVersion()); 57 | 58 | assertEquals(1, result.getTotalResults()); 59 | assertEquals(CweNumber.WEAK_HASH_ALGO, result.get(73).get(0).getCWE()); 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/SarifReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2024 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers.sarif; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | 22 | import org.junit.jupiter.params.ParameterizedTest; 23 | import org.junit.jupiter.params.provider.ValueSource; 24 | import org.owasp.benchmarkutils.score.parsers.sarif.SarifReader; 25 | 26 | public class SarifReaderTest { 27 | 28 | @ParameterizedTest(name = "{index} - extracts cwe number from input {0}") 29 | @ValueSource( 30 | strings = { 31 | "CWE-326", 32 | "CWE-326: Inadequate Encryption Strength", 33 | "external/cwe/cwe-326", 34 | "CWE:326" 35 | }) 36 | void extractsCweNumberFromInput(String input) { 37 | assertEquals(326, SarifReader.extractCwe(input)); 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/SnykReaderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details 14 | * 15 | * @author Raj Barath 16 | * @created 2023 17 | */ 18 | package org.owasp.benchmarkutils.score.parsers.sarif; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertTrue; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.BenchmarkScore; 26 | import org.owasp.benchmarkutils.score.CweNumber; 27 | import org.owasp.benchmarkutils.score.ResultFile; 28 | import org.owasp.benchmarkutils.score.TestHelper; 29 | import org.owasp.benchmarkutils.score.TestSuiteResults; 30 | import org.owasp.benchmarkutils.score.parsers.ReaderTestBase; 31 | 32 | class SnykReaderTest extends ReaderTestBase { 33 | 34 | private ResultFile resultFile; 35 | 36 | @BeforeEach 37 | void setUp() { 38 | resultFile = TestHelper.resultFileOf("testfiles/Benchmark_SnykCodeCli.sarif"); 39 | BenchmarkScore.TESTCASENAME = "BenchmarkTest"; 40 | } 41 | 42 | @Test 43 | void onlySnykReaderReportsCanReadAsTrue() { 44 | assertOnlyMatcherClassIs(this.resultFile, SnykReader.class); 45 | } 46 | 47 | @Test 48 | void readerHandlesGivenResultFile() throws Exception { 49 | SnykReader reader = new SnykReader(); 50 | TestSuiteResults result = reader.parse(resultFile); 51 | 52 | assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); 53 | assertTrue(result.isCommercial()); 54 | assertEquals("SnykCode", result.getToolName()); 55 | assertEquals("1.0.0", result.getToolVersion()); 56 | 57 | assertEquals(2, result.getTotalResults()); 58 | 59 | assertEquals(CweNumber.INSECURE_COOKIE, result.get(1).get(0).getCWE()); 60 | assertEquals(CweNumber.XPATH_INJECTION, result.get(2).get(0).getCWE()); 61 | } 62 | 63 | @Test 64 | void readerMapsCwes() { 65 | SnykReader reader = new SnykReader(); 66 | assertEquals( 67 | CweNumber.WEAK_HASH_ALGO, 68 | reader.mapCwe(CweNumber.PASSWORD_HASH_WITH_INSUFFICIENT_COMPUTATIONAL_EFFORT)); 69 | assertEquals(CweNumber.PATH_TRAVERSAL, reader.mapCwe(CweNumber.RELATIVE_PATH_TRAVERSAL)); 70 | } 71 | } 72 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/report/FormatsTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details. 14 | * 15 | * @author Sascha Knoop 16 | * @created 2024 17 | */ 18 | package org.owasp.benchmarkutils.score.report; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.owasp.benchmarkutils.score.report.Formats.fourDecimalPlacesNumber; 22 | import static org.owasp.benchmarkutils.score.report.Formats.singleDecimalPlaceNumber; 23 | import static org.owasp.benchmarkutils.score.report.Formats.twoDecimalPlacesPercentage; 24 | 25 | import org.junit.jupiter.api.Test; 26 | 27 | class FormatsTest { 28 | 29 | @Test 30 | void hasFormatterForTwoDecimalPlacesPercentage() { 31 | assertEquals("1234.57%", twoDecimalPlacesPercentage.format(12.345678)); 32 | } 33 | 34 | @Test 35 | void hasFormatterForFourDecimalPlaces() { 36 | assertEquals("12.3457", fourDecimalPlacesNumber.format(12.345678)); 37 | } 38 | 39 | @Test 40 | void hasFormatterForSingleDecimalPlace() { 41 | assertEquals("12.3", singleDecimalPlaceNumber.format(12.345678)); 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /plugin/src/test/java/org/owasp/benchmarkutils/score/service/ExpectedResultsProviderTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * OWASP Benchmark Project 3 | * 4 | *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For 5 | * details, please see https://owasp.org/www-project-benchmark/. 7 | * 8 | *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms 9 | * of the GNU General Public License as published by the Free Software Foundation, version 2. 10 | * 11 | *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 13 | * PURPOSE. See the GNU General Public License for more details 14 | * 15 | * @author Sascha Knoop 16 | * @created 2024 17 | */ 18 | package org.owasp.benchmarkutils.score.service; 19 | 20 | import static org.junit.jupiter.api.Assertions.assertEquals; 21 | import static org.junit.jupiter.api.Assertions.assertNull; 22 | 23 | import org.junit.jupiter.api.BeforeEach; 24 | import org.junit.jupiter.api.Test; 25 | import org.owasp.benchmarkutils.score.CweNumber; 26 | import org.owasp.benchmarkutils.score.ResultFile; 27 | import org.owasp.benchmarkutils.score.TestHelper; 28 | import org.owasp.benchmarkutils.score.TestSuiteResults; 29 | 30 | class ExpectedResultsProviderTest { 31 | 32 | private ResultFile simpleResultFile; 33 | private ResultFile extendedResultFile; 34 | 35 | @BeforeEach 36 | void setUp() { 37 | simpleResultFile = TestHelper.resultFileOf("expectedresults-1.2-simple.csv"); 38 | extendedResultFile = TestHelper.resultFileOf("expectedresults-1.2-extended.csv"); 39 | } 40 | 41 | @Test 42 | void providerHandlesGivenSimpleResultFile() throws Exception { 43 | TestSuiteResults result = ExpectedResultsProvider.parse(simpleResultFile); 44 | 45 | assertNull(result.getToolType()); 46 | assertEquals("Expected", result.getToolName()); 47 | 48 | assertEquals(2, result.getTotalResults()); 49 | 50 | assertEquals(CweNumber.PATH_TRAVERSAL, result.get(1).get(0).getCWE()); 51 | assertNull(result.get(1).get(0).getSource()); 52 | 53 | assertEquals(CweNumber.COMMAND_INJECTION, result.get(2).get(0).getCWE()); 54 | assertNull(result.get(2).get(0).getSource()); 55 | } 56 | 57 | @Test 58 | void providerHandlesGivenExtendedResultFile() throws Exception { 59 | TestSuiteResults result = ExpectedResultsProvider.parse(extendedResultFile); 60 | 61 | assertNull(result.getToolType()); 62 | assertEquals("Expected", result.getToolName()); 63 | 64 | assertEquals(2, result.getTotalResults()); 65 | 66 | assertEquals(CweNumber.PATH_TRAVERSAL, result.get(1).get(0).getCWE()); 67 | assertEquals("RequestGetCookies.code", result.get(1).get(0).getSource()); 68 | 69 | assertEquals(CweNumber.COMMAND_INJECTION, result.get(2).get(0).getCWE()); 70 | assertEquals("RequestGetHeader.code", result.get(2).get(0).getSource()); 71 | } 72 | } 73 | -------------------------------------------------------------------------------- /plugin/src/test/resources/expectedresults-1.2-extended.csv: -------------------------------------------------------------------------------- 1 | # test name, category, real vulnerability, cwe, template, source, vuln src, data flow, vuln df, sink, vuln sink, UI Template, Benchmark version: 1.2, 2024-05-1 2 | BenchmarkTest00001,pathtraver,true,22,"_NoDataflowTemplate.code","RequestGetCookies.code",true,none,true,"FileInputStream-F.code",true,"UI_HTML_post_getCookies.code" 3 | BenchmarkTest00002,cmdi,true,78,"_NoDataflowTemplate.code","RequestGetHeader.code",true,none,true,"ProcessBuilderCommand-L.code",true,"UI_HTML_post_getHeader.code" 4 | -------------------------------------------------------------------------------- /plugin/src/test/resources/expectedresults-1.2-simple.csv: -------------------------------------------------------------------------------- 1 | # test name, category, real vulnerability, cwe, Benchmark version: 1.2, 2016-06-1 2 | BenchmarkTest00001,pathtraver,true,22 3 | BenchmarkTest00002,cmdi,true,78 4 | -------------------------------------------------------------------------------- /plugin/src/test/resources/report-html-config.yml: -------------------------------------------------------------------------------- 1 | # config file to test html report related things 2 | includeprojectlink: true 3 | includeprecision: true 4 | 5 | report: 6 | html: 7 | projectLinkEntry: | 8 |

9 | projectLinkEntry 10 |

11 | precisionKeyEntry: | 12 |

13 | precisionKeyEntry 14 |

15 | fsCoreEntry: | 16 |

17 | fsCoreEntry 18 |

19 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark-BlackDuck.json: -------------------------------------------------------------------------------- 1 | { 2 | "driver": "polaris_blackduck", 3 | "_items": [ 4 | { 5 | "id": "11111111111111111111111111111111", 6 | "weaknessId": "w-1", 7 | "type": { 8 | "id": "11111111-1111-1111-1111-111111111111", 9 | "altName": "sql_injection:nosink|java" 10 | }, 11 | "occurrenceProperties": [ 12 | { 13 | "key": "filename", 14 | "value": "BenchmarkTest00001.java" 15 | }, 16 | { 17 | "key": "cwe", 18 | "value": "CWE-89" 19 | } 20 | ], 21 | "_type": "issues" 22 | }, 23 | { 24 | "id": "22222222222222222222222222222222", 25 | "weaknessId": "w-2", 26 | "type": { 27 | "id": "22222222-2222-2222-2222-222222222222", 28 | "altName": "xss|java" 29 | }, 30 | "occurrenceProperties": [ 31 | { 32 | "key": "filename", 33 | "value": "BenchmarkTest00002.java" 34 | }, 35 | { 36 | "key": "cwe", 37 | "value": "CWE-79" 38 | } 39 | ] 40 | } 41 | ], 42 | "totalCount": 2 43 | } 44 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_Acunetix-v1.4.1.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 00000000000000000000000000000000 5 | https://localhost:8443/benchmark/ 6 | 01/01/1970 01:01 AM 7 | 1.23:45:67.0123456 8 | 9 | 10 | 11 | 00000000-0000-0000-0000-000000000000 12 | https://localhost:8443/benchmark/cmdi-01/BenchmarkTest00001 13 | CommandInjection 14 | Command Injection 15 | Critical 16 | 100 17 | True 18 | Revived 19 | 1/01/1970 1:01:01 PM -01:00 20 | 1/01/1970 1:01:01 PM -01:00 21 | 22 | 78 23 | 24 | 25 | 26 | 00000000-0000-0000-0000-000000000000 27 | https://localhost:8443/benchmark/xss-01/BenchmarkTest00002 28 | Cross-siteScripting 29 | Cross-site Scripting 30 | High 31 | 100 32 | True 33 | Revived 34 | 1/01/1970 1:01:01 PM -01:00 35 | 1/01/1970 1:01:01 PM -01:00 36 | 37 | 79 38 | 39 | 40 | 41 | 42 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_Acunetix-v15.3.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_AppSpider-v7.2.119-1234.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 7.2.119.1 4 | Lorem Ipsum 5 | 6 | 1970-01-01 01:01:01 7 | 0:12:34 8 | 1970-01-01 01:01:01 9 | -1 10 | 11 | 12 | Blind SQL Injection 13 | https://adcvbsaws06:8443/benchmark/sqli-01/BenchmarkTest00001 14 | https://adcvbsaws06:8443/benchmark/sqli-01/BenchmarkTest00001? 15 | https://adcvbsaws06:8443/benchmark/sqli-01/BenchmarkTest00001 16 | 89 17 | Medium 18 | 19 | 20 | Command Injection 21 | https://adcvbsaws06:8443/benchmark/cmdi-02/BenchmarkTest00002 22 | https://adcvbsaws06:8443/benchmark/cmdi-02/BenchmarkTest00002 23 | ECHO command (pipe) 24 | https://adcvbsaws06:8443/benchmark/cmdi-02/BenchmarkTest00002 25 | 78 26 | High 27 | 28 | 29 | 30 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_BurpPro-v2020.2.1.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 0000000000000000000 5 | 1048832 6 | 7 | https://localhost:8443 8 | 9 | 10 | High 11 | Certain 12 | Lorem Ipsum 13 | Lorem Ipsum 14 | Lorem Ipsum 15 | Lorem Ipsum 16 | Lorem Ipsum 17 | 18 | 19 | 0000000000000000000 20 | 1049088 21 | 22 | https://localhost:8443 23 | 24 | 25 | High 26 | Certain 27 | Lorem Ipsum 28 | Lorem Ipsum 29 | Lorem Ipsum 30 | Lorem Ipsum 31 | Lorem Ipsum 32 | Lorem Ipsum 33 | 34 | 35 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_CAST_AIP-v8.2.3.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Avoid OS command injection vulnerabilities ( CWE-78 ) 5 | 6 | 7 | Avoid SQL injection vulnerabilities ( CWE-89 ) 8 | 9 | 10 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_Checkmarx-v8.2.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | /testcode/BenchmarkTest00001.java 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | /testcode/BenchmarkTest00002.java 17 | 18 | 19 | 20 | 21 | 22 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_Contrast_3.9.0.sarif.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "2.1.0", 3 | "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", 4 | "runs": [ 5 | { 6 | "tool": { 7 | "driver": { 8 | "name": "Contrast Scan", 9 | "organization": "Contrast Security, Inc.", 10 | "version": "pkg: null, engine: null, policy: null", 11 | "informationUri": "https://www.contrastsecurity.com" 12 | } 13 | }, 14 | "artifacts": [], 15 | "results": [ 16 | { 17 | "ruleId": "cmd-injection", 18 | "level": "error", 19 | "message": { 20 | "text": "cmd-injection in BenchmarkTest00001.doPost() reachable from BenchmarkTest00001.doPost()" 21 | }, 22 | "locations": [ 23 | { 24 | "physicalLocation": { 25 | "artifactLocation": { 26 | "uri": "org/owasp/benchmark/testcode/BenchmarkTest00001.java" 27 | } 28 | } 29 | } 30 | ] 31 | }, 32 | { 33 | "ruleId": "cookie-flags-missing", 34 | "level": "error", 35 | "message": { 36 | "text": "cookie-flags-missing in BenchmarkTest00002.doPost() reachable from BenchmarkTest00002.doPost()" 37 | }, 38 | "locations": [ 39 | { 40 | "physicalLocation": { 41 | "artifactLocation": { 42 | "uri": "org/owasp/benchmark/testcode/BenchmarkTest00002.java" 43 | } 44 | } 45 | } 46 | ] 47 | } 48 | ], 49 | "invocations": [ 50 | { 51 | "commandLine": "some-cool-command", 52 | "startTimeUtc": "2011-11-11T11:11:11.111+00:00", 53 | "endTimeUtc": "2011-11-11T33:33:33.333+00:00", 54 | "toolExecutionNotifications": [], 55 | "executionSuccessful": true 56 | } 57 | ] 58 | } 59 | ] 60 | } 61 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_CxIAST.csv: -------------------------------------------------------------------------------- 1 | Vulnerability ID,Vulnerability Type,Severity,First Detection Time (YYYY/MM/dd HH:mm),Status,State,URL,Method,Source Filename,Source Line,Source Input,Destination Filename,Destination Line,Destination Output,Assigned User,CWE 2 | 2,Blind_SQL_Injection,MEDIUM,1970/01/01 01:01,NEW,TO_VERIFY,/sqli-01/BenchmarkTest00001?someparams,POST,org/owasp/benchmark/testcode/BenchmarkTest00001.java,43,BenchmarkTest00001,org/owasp/benchmark/testcode/BenchmarkTest00001.java,1,something,,89 3 | 1,Path_Traversal,MEDIUM,1970/01/01 01:01,NEW,TO_VERIFY,/pathtraver-01/BenchmarkTest00002?someparams,POST,org/owasp/benchmark/testcode/BenchmarkTest00002.java,43,BenchmarkTest00002,org/owasp/benchmark/testcode/BenchmarkTest00002.java,1,something,,22 4 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_DatadogSast.sarif: -------------------------------------------------------------------------------- 1 | { 2 | "runs": [ 3 | { 4 | "results": [ 5 | { 6 | "fixes": [], 7 | "level": "warning", 8 | "locations": [ 9 | { 10 | "physicalLocation": { 11 | "artifactLocation": { 12 | "uri": "BenchmarkTest00010.java" 13 | }, 14 | "region": { 15 | "endColumn": 67, 16 | "endLine": 79, 17 | "startColumn": 21, 18 | "startLine": 79 19 | } 20 | } 21 | } 22 | ], 23 | "message": { 24 | "text": "the http only flag is not set on the cookie" 25 | }, 26 | "partialFingerprints": { 27 | "DATADOG_FINGERPRINT": "e4e9899ecb58e179da4fff7e5ce8aadf6bffba5dc40df7e67f1c686fb99fb6ec" 28 | }, 29 | "properties": { 30 | "tags": [ 31 | "DATADOG_CATEGORY:SECURITY", 32 | "CWE:614" 33 | ] 34 | }, 35 | "ruleId": "java-security/cookies-http-only", 36 | "ruleIndex": 0 37 | } 38 | ], 39 | "tool": { 40 | "driver": { 41 | "informationUri": "https://www.datadoghq.com", 42 | "name": "datadog-static-analyzer", 43 | "properties": { 44 | "tags": [ 45 | "DATADOG_DIFF_AWARE_CONFIG_DIGEST:1199c81a70ecaada6cbd3abf5c3ff7c5c1538cab6158bd955abb1c5f319d86e3", 46 | "DATADOG_EXECUTION_TIME_SECS:0", 47 | "DATADOG_DIFF_AWARE_ENABLED:false" 48 | ] 49 | }, 50 | "rules": [ 51 | { 52 | "fullDescription": { 53 | "text": "A cookie must always be created with `HttpOnly`. The flag is set to prevent malicious script to use the cookie. Always set `HttpOnly`.\n\n#### Learn More\n\n - [OWASP HTTP Only](https://owasp.org/www-community/HttpOnly)\n - [Coding Horror - Protecting Your Cookies: HttpOnly](https://blog.codinghorror.com/protecting-your-cookies-httponly/)" 54 | }, 55 | "helpUri": "https://docs.datadoghq.com/static_analysis/rules/owasp10/cookies-http-only", 56 | "id": "java-security/cookies-http-only", 57 | "properties": { 58 | "tags": [ 59 | "DATADOG_RULE_TYPE:STATIC_ANALYSIS", 60 | "CWE:614" 61 | ] 62 | }, 63 | "shortDescription": { 64 | "text": "Cookies HTTP only" 65 | } 66 | } 67 | ], 68 | "version": "0.2.9" 69 | } 70 | } 71 | } 72 | ], 73 | "version": "2.1.0" 74 | } 75 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_Fluid-Attacks-v20210416.csv: -------------------------------------------------------------------------------- 1 | title,cwe,description,cvss,finding,stream,kind,where,snippet,method 2 | 112. SQL injection - Java SQL API,CWE-89,Use of attacker controlled parameters for querying the data base in OWASP/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java,CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:R,https://docs.fluidattacks.com/criteria/vulnerabilities/112,skims,SAST,59,"code snippet",java.java_sql_injection 3 | 004. Remote command execution,CWE-78,"The system builds system commands using inputs that can be manipulated externally, it does not properly override special elements that could modify the system command in OWASP/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java",CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:T/RC:R,https://docs.fluidattacks.com/criteria/vulnerabilities/004,skims,SAST,71,"code snippet",java.java_remote_command_execution -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_Fortify20.20_2020Q1-1234.fpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP-Benchmark/BenchmarkUtils/b25dc315b8811166cd2bf19be7571f3ccec00b61/plugin/src/test/resources/testfiles/Benchmark_Fortify20.20_2020Q1-1234.fpr -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_HCL-IAST.hcl: -------------------------------------------------------------------------------- 1 | 01:23:45.666 [main] INFO lorem.ipsum:dolor - doing the magic 2 | 01:23:45.777 [https-jsse-nio-127.0.0.1-8443-exec-3] DEBUG utils.TaintTracker:enterAction - [checking URL: /benchmark/pathtraver-01/BenchmarkTest00001 queryString: ] 3 | 01:23:45.888 [Distributor Thread] DEBUG utils.distributor.Distributor:writeVulnerabilityToFile - {"agent-version":"some-agent","issue-group":[{"id":"-000000000","issue-type":{"ref":"PathTraversal"},"variant-group":[{"id":"1","request":{"uri":"/benchmark/pathtraver-01/BenchmarkTest00001","method":"POST","queryString":""}}]}]} 4 | 01:23:45.999 [https-jsse-nio-127.0.0.1-8443-exec-6] DEBUG utils.TaintTracker:enterAction - [checking URL: /benchmark/sqli-01/BenchmarkTest00002 queryString: ] 5 | 01:23:46.000 [Distributor Thread] DEBUG utils.distributor.Distributor:writeVulnerabilityToFile - {"agent-version":"some-agent","issue-group":[{"id":"-000000000","issue-type":{"ref":"Injection.SQL"},"variant-group":[{"id":"1","request":{"uri":"/benchmark/sqli-01/BenchmarkTest00002","method":"POST","queryString":""}}]}]} 6 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_HCL-IAST_DateTime.hcl: -------------------------------------------------------------------------------- 1 | 2023-10-03 01:23:45.666 [main] INFO lorem.ipsum:dolor - doing the magic 2 | 2023-10-03 01:23:45.777 [https-jsse-nio-127.0.0.1-8443-exec-3] DEBUG utils.TaintTracker:enterAction - [checking URL: /benchmark/pathtraver-01/BenchmarkTest00001 queryString: ] 3 | 2023-10-03 01:23:45.888 [Distributor Thread] DEBUG utils.distributor.Distributor:writeVulnerabilityToFile - {"agent-version":"some-agent","issue-group":[{"id":"-000000000","issue-type":{"ref":"PathTraversal"},"variant-group":[{"id":"1","request":{"uri":"/benchmark/pathtraver-01/BenchmarkTest00001","method":"POST","queryString":""}}]}]} 4 | 2023-10-03 01:23:45.999 [https-jsse-nio-127.0.0.1-8443-exec-6] DEBUG utils.TaintTracker:enterAction - [checking URL: /benchmark/sqli-01/BenchmarkTest00002 queryString: ] 5 | 2023-10-03 01:23:46.000 [Distributor Thread] DEBUG utils.distributor.Distributor:writeVulnerabilityToFile - {"agent-version":"some-agent","issue-group":[{"id":"-000000000","issue-type":{"ref":"Injection.SQL"},"variant-group":[{"id":"1","request":{"uri":"/benchmark/sqli-01/BenchmarkTest00002","method":"POST","queryString":""}}]}]} 6 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_HCLAppScanSource-2.4.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 1.0 5 | 6 | 7 | 8 | 9 | PathTraversal 10 | 11 | 12 | 13 | 14 | Injection.SQL 15 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_HCLAppScanStandardReader-v10.0.6.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | HCL AppScan Standard 5 | 10.0.6 6 | 7 | 8 | 01:23:45.6789012 9 | 10 | 11 | 12 | 89 13 | 14 | attSqlInjectionChecks 15 | 16 | 17 | 1111111111 18 | 19 | 20 | 21 | GET /benchmark/sqli-00/BenchmarkTest00001.html?BenchmarkTest00001=SafeText 22 | HTTP/1.1 23 | 24 | 25 | 26 | POST /benchmark/sqli-00/BenchmarkTest00002 HTTP/1.1 27 | 28 | 29 | 30 | 31 | 614 32 | 33 | attRespCookieNotSecureSSL 34 | 35 | 36 | 3333333333 37 | 38 | 39 | 40 | POST /benchmark/securecookie-00/BenchmarkTest00300 HTTP/1.1 41 | 42 | 43 | POST /benchmark/securecookie-00/BenchmarkTest00348 HTTP/1.1 44 | 45 | 46 | 47 | 48 | 49 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_JuliaSoft-v2.3.2.1.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 00000000-0000-0000-0000-000000000000 4 | COMPLETED 5 | 1970-01-01T01:01:01.001-01:00 6 | 2.3.2.1 7 | 123456 8 | 9 | benchmark.jar 10 | 614 11 | org.owasp.benchmark.testcode.BenchmarkTest00001 12 | Cookie 13 | 1 14 | doPost 15 | 1 16 | 1 17 | InsecureCookieWarning 18 | org/owasp/benchmark/testcode/BenchmarkTest00001.java 19 | false 20 | Security_Features 21 | BUG 22 | Lorem Ipsum 23 | Lorem Ipsum 24 | 25 | 26 | benchmark.jar 27 | 327 28 | org.owasp.benchmark.testcode.BenchmarkTest00002 29 | Cryptography 30 | 1 31 | doPost 32 | 1 33 | 1 34 | RiskyCryptographicAlgorithmWarning 35 | org/owasp/benchmark/testcode/BenchmarkTest00002.java 36 | false 37 | Security_Features 38 | BUG 39 | Lorem Ipsum 40 | Lorem Ipsum 41 | 42 | 0:01:01.123 43 | 44 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_Kiuwan-20191012.threadfix: -------------------------------------------------------------------------------- 1 | { 2 | "collectionType": "SAST", 3 | "created": "1970-01-01T01:01:01Z", 4 | "exported": "1970-01-01T01:01:01Z", 5 | "source": "Kiuwan", 6 | "executiveSummary": "Lorem Ipsum", 7 | "metadata": { 8 | "Kiuwan-EngineVersion": "some.version", 9 | "Kiuwan-AnalysisDuration": "01:23:45" 10 | }, 11 | "findings": [ 12 | { 13 | "nativeId": "0000000000", 14 | "severity": "Critical", 15 | "nativeSeverity": "Very High", 16 | "summary": "Lorem Ipsum", 17 | "scannerDetail": "Lorem Ipsum", 18 | "scannerRecommendation": "Lorem Ipsum", 19 | "staticDetails": { 20 | "parameter": "", 21 | "dataFlow": [ 22 | { 23 | "file": "Benchmark/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java", 24 | "lineNumber": 47, 25 | "columnNumber": 1, 26 | "parameter": "", 27 | "text": "param = request.getHeader(\"BenchmarkTest00001\");", 28 | "sequence": 0 29 | } 30 | ] 31 | }, 32 | "mappings": [ 33 | { 34 | "mappingType": "CWE", 35 | "value": "79", 36 | "primary": true 37 | } 38 | ] 39 | }, 40 | { 41 | "nativeId": "0000000000", 42 | "severity": "Critical", 43 | "nativeSeverity": "Very High", 44 | "summary": "Lorem Ipsum", 45 | "scannerDetail": "Lorem Ipsum", 46 | "scannerRecommendation": "", 47 | "staticDetails": { 48 | "parameter": "", 49 | "dataFlow": [ 50 | { 51 | "file": "Benchmark/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java", 52 | "lineNumber": 47, 53 | "columnNumber": 1, 54 | "parameter": "", 55 | "text": "param = request.getHeader(\"BenchmarkTest00002\");", 56 | "sequence": 0 57 | } 58 | ] 59 | }, 60 | "mappings": [ 61 | { 62 | "mappingType": "CWE", 63 | "value": "564", 64 | "primary": true 65 | } 66 | ] 67 | } 68 | ] 69 | } 70 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_Klocwork.csv: -------------------------------------------------------------------------------- 1 | File,Path,Line,Method,Code,Severity,State,Status,Taxonomy,Owner 2 | BenchmarkTest00001.java,/opt/klocwork/projects_root/projects/BenchmarkJavaToo/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java,58,doPost(),SV.SQL,Error (2),New,Analyze,Java,unowned 3 | BenchmarkTest00002.java,/opt/klocwork/projects_root/projects/BenchmarkJavaToo/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java,64,doPost(),SV.PATH,Warning (3),New,Analyze,Java,unowned 4 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_Mend.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 01:23:45 4 | 5 | 6 | Java 7 | 8 | 9 | 10 | CWE-78 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | CWE-89 19 | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 20 | https://cwe.mitre.org/data/definitions/89.html 21 | 22 | 23 | 24 | 25 | src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java 26 | 27 | 28 | 29 | 30 | 31 | JavaScript / Node.js 32 | 33 | 34 | 35 | CWE-78 36 | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 37 | https://cwe.mitre.org/data/definitions/78.html 38 | 39 | 40 | 41 | 42 | src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java 43 | 44 | 45 | 46 | 47 | 48 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_Netsparker.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | https://localhost:8443/benchmark/ 6 | 123456 7 | 8 | 9 | https://localhost:8443/benchmark/securecookie-00/BenchmarkTest00001?BenchmarkTest00001=whatever 10 | CookieNotMarkedAsSecure 11 | Important 12 | 100 13 | 14 | 15 | 16 | Extra Information 17 | 18 | 19 | A9 20 | A6 21 | 15 22 | 614 23 | 102 24 | 6.5.4 25 | 6.5.10 26 | 6.5.10 27 | 28 | 29 | 30 | https://localhost:8443/benchmark/securecookie-00/BenchmarkTest00002 31 | CookieNotMarkedAsHttpOnly 32 | Low 33 | 100 34 | 35 | 36 | 37 | Extra Information 38 | 39 | 40 | A6 41 | A5 42 | 15 43 | 1004 44 | 107 45 | 46 | 47 | 48 | 49 | 50 | 51 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_ParasoftJTest-v10.2.3.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_Seeker.csv: -------------------------------------------------------------------------------- 1 | Owner,ProjectKey,ItemKey,CheckerKey,VulnerabilityName,Severity,ticketUrls,URL,SourceName,SourceType,CodeLocation,StackTrace,VerificationTag,DetectionCount,FirstDetectionTime,LastDetectionTime,Status,OWASP2013,PCI-DSS,CWE-SANS,OWASP2017,GDPR,CAPEC,LastDetectionURL,SeekerServerLink,CustomTags,LatestVersion,LastDetectionHttpHeaders,LastDetectionHttpParams,Description,Remediation,Summary,VerificationProof,TriageEvents,Comments,CodeLocationType,OWASP2021 2 | ,owasp-benchmark,owasp-benchmark-1,CMD-INJECT,"Command Injection",Informative,,"/benchmark/cmdi-00/BenchmarkTest00001",my_user_id,Parameter,"org.owasp.benchmark.testcode.BenchmarkTest00001.doPost():63",,Untagged,2,"1970-01-01 01:23:45 GMT","1970-01-01 01:23:45 GMT",Detected,,,"CWE-78: Command Injection",,,,"/benchmark/cmdi-00/BenchmarkTest00001","http://server:8080/somepath",,,,,,,,,,,"Customer code - direct calls","A04:2021 - Insecure Design" 3 | ,owasp-benchmark,owasp-benchmark-2,TRUST-BOUNDARY-VIOLATION,"Trust Boundary Violation",Informative,,"/benchmark/trustbound-00/BenchmarkTest00002",my_user_id,Parameter,"org.owasp.benchmark.testcode.BenchmarkTest00002.doPost():63",,Untagged,2,"1970-01-01 01:23:45 GMT","1970-01-01 01:23:45 GMT",Detected,,,"CWE-501: Trust Boundary Violation",,,,"/benchmark/trustbound-00/BenchmarkTest00002","http://server:8080/somepath",,,,,,,,,,,"Customer code - direct calls","A04:2021 - Insecure Design" 4 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_ZAP_WEEKLY.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 40012 7 | Cross Site Scripting (Reflected) 8 | Cross Site Scripting (Reflected) 9 | 3 10 | 2 11 | High (Medium) 12 | Lorem Ipsum 13 | 14 | 15 | https://localhost:8443/benchmark/xss-01/BenchmarkTest00001 16 | POST 17 | BenchmarkTest00001 18 | <script>alert(1);</script> 19 | <script>alert(1);</script> 20 | 21 | 22 | 1 23 | Lorem Ipsum 24 | <p>http://projects.webappsec.org/Cross-Site-Scripting</p><p>http://cwe.mitre.org/data/definitions/79.html</p> 25 | 79 26 | 8 27 | 1 28 | 29 | 30 | 40018 31 | SQL Injection - Hypersonic SQL 32 | SQL Injection - Hypersonic SQL 33 | 3 34 | 2 35 | High (Medium) 36 | Lorem Ipsum 37 | 38 | 39 | https://localhost:8443/benchmark/sqli-01/BenchmarkTest00002 40 | POST 41 | BenchmarkTest00002 42 | ' 43 | org.hsql 44 | 45 | 46 | 1 47 | Lorem Ipsum 48 | Lorem Ipsum 49 | <p>https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html</p> 50 | 89 51 | 19 52 | 1 53 | 54 | 55 | 56 | 57 | 58 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_horusec-v2.5.0.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "v2.5.0", 3 | "createdAt": "1970-01-01T00:00:00.0000000Z", 4 | "finishedAt": "1970-01-01T01:23:45.0000000Z", 5 | "analysisVulnerabilities": [ 6 | { 7 | "vulnerabilities": { 8 | "file": "somepath/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java", 9 | "details": "Potential XSS in Servlet\nA potential XSS was found. It could be used to execute unwanted JavaScript in a client's browser. For more information checkout the CWE-79 (https://cwe.mitre.org/data/definitions/79.html) advisory", 10 | "securityTool": "HorusecEngine" 11 | } 12 | }, 13 | { 14 | "vulnerabilities": { 15 | "file": "somepath/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java", 16 | "details": "SQL Injection\nThe input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. Alternatively to prepare statements, each parameter can be escaped manually. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.", 17 | "securityTool": "HorusecEngine" 18 | } 19 | } 20 | ] 21 | } 22 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_sonar-Java-Plugin-v3.14-1234.xml: -------------------------------------------------------------------------------- 1 | 12345 2 | 3 | Java 4 | java 5 | 6 | 7 | 1234 8 | OWASP Benchmark Project 9 | OWASP Benchmark Project 10 | ABC 11 | 00000000-0000-0000-0000-000000000000 12 | org.owasp:benchmark 13 | 14 | 15 | cwe 16 | owasp-a1 17 | sans-top25-insecure 18 | security 19 | OPEN 20 | 42min 21 | 42 22 | CRITICAL 23 | 9470 24 | 1970-01-01T01:01:01-0100 25 | 42 minutes 26 | Make sure "args" is properly sanitized before use in this OS command. 27 | org.owasp:benchmark 28 | 1970-01-01T01:01:01-0100 29 | org.owasp:benchmark:src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java 30 | squid:S2076 31 | 00000000-0000-0000-0000-000000000000 32 | 33 | 34 | cert 35 | cwe 36 | owasp-a6 37 | security 38 | OPEN 39 | 42min 40 | 42 41 | CRITICAL 42 | 11349 43 | 1970-01-01T01:01:01-0100 44 | 42 minutes 45 | Use a cryptographically strong random number generator (RNG) like "java.security.SecureRandom" in place of this PRNG 46 | org.owasp:benchmark 47 | 1970-01-01T01:01:01-0100 48 | org.owasp:benchmark:src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java 49 | squid:S2245 50 | 00000000-0000-0000-0000-000000000000 51 | 52 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_sonarqube-v25.1.0.102122.json: -------------------------------------------------------------------------------- 1 | { 2 | "date": "Tuesday, Jan 01, 1970", 3 | "inNewCodePeriod": false, 4 | "allBugs": true, 5 | "fixMissingRule": false, 6 | "noSecurityHotspot": false, 7 | "noRulesInReport": true, 8 | "vulnerabilityPhrase": "Vulnerability", 9 | "noCoverage": true, 10 | "vulnerabilityPluralPhrase": "Vulnerabilities", 11 | "sonarBaseURL": "http://localhost:9876", 12 | "sonarComponent": "benchmark", 13 | "rules": {}, 14 | "issues": [ 15 | { 16 | "rule": "java:S2077", 17 | "severity": "CRITICAL", 18 | "status": "TO_REVIEW", 19 | "component": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java", 20 | "line": 57, 21 | "description": "Formatting SQL queries is security-sensitive", 22 | "message": "Make sure using a dynamically formatted SQL query is safe here.", 23 | "key": "11111111-1111-1111-1111-111111111111" 24 | }, 25 | { 26 | "rule": "java:S4790", 27 | "severity": "MINOR", 28 | "status": "TO_REVIEW", 29 | "component": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java", 30 | "line": 50, 31 | "description": "Using weak hashing algorithms is security-sensitive", 32 | "message": "Make sure this weak hash algorithm is not used in a sensitive context here.", 33 | "key": "22222222-2222-2222-2222-222222222222" 34 | } 35 | ], 36 | "hotspotKeys": [ 37 | "11111111-1111-1111-1111-111111111111", 38 | "22222222-2222-2222-2222-222222222222" 39 | ], 40 | "deltaAnalysis": "No", 41 | "qualityGateStatus": false, 42 | "summary": { 43 | "blocker": 0, 44 | "critical": 1, 45 | "major": 2, 46 | "minor": 3 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_sonarqube-v9.1.0.47736.json: -------------------------------------------------------------------------------- 1 | { 2 | "issues": [ 3 | { 4 | "key": "AXv-ikHUnNrc2VzNo8Sp", 5 | "rule": "java:S5542", 6 | "severity": "CRITICAL", 7 | "component": "benchmark:src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java", 8 | "project": "benchmark", 9 | "line": 0, 10 | "hash": "00000000000000000000000000000000", 11 | "textRange": { 12 | "startLine": 0, 13 | "endLine": 0, 14 | "startOffset": 0, 15 | "endOffset": 0 16 | }, 17 | "flows": [], 18 | "status": "OPEN", 19 | "message": "Use secure mode and padding scheme.", 20 | "effort": "45min", 21 | "debt": "45min", 22 | "author": "someone@somewhere.com", 23 | "tags": [ 24 | "cwe", 25 | "owasp-a3", 26 | "owasp-a6", 27 | "owasp-m5", 28 | "privacy", 29 | "sans-top25-porous" 30 | ], 31 | "creationDate": "1970-01-01T01:01:01+0000", 32 | "updateDate": "1970-01-01T01:01:01+0000", 33 | "type": "VULNERABILITY", 34 | "scope": "MAIN" 35 | } 36 | ], 37 | "hotspots": [ 38 | { 39 | "key": "AXv-ikHwnNrc2VzNo8T3", 40 | "component": "benchmark:src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java", 41 | "project": "benchmark", 42 | "securityCategory": "sql-injection", 43 | "vulnerabilityProbability": "HIGH", 44 | "status": "TO_REVIEW", 45 | "line": 0, 46 | "message": "Make sure using a dynamically formatted SQL query is safe here.", 47 | "author": "someone@somewhere.com", 48 | "creationDate": "1970-01-01T01:01:01+0000", 49 | "updateDate": "1970-01-01T01:01:01+0000" 50 | } 51 | ] 52 | } 53 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/Benchmark_visualcodegrepper-v2.2.0.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 1 5 | Critical 6 | Potential SQL Injection 7 | Lorem Ipsum 8 | C:\somepath\benchmark\src\main\java\org\owasp\benchmark\testcode\BenchmarkTest00001.java 9 | 1 10 | someEvilCode() 11 | False 12 | LawnGreen 13 | 14 | 15 | 2 16 | High 17 | Potential XSS 18 | Lorem Ipsum 19 | C:\somepath\benchmark\src\main\java\org\owasp\benchmark\testcode\BenchmarkTest00002.java 20 | 1 21 | someEvilCode() 22 | False 23 | LawnGreen 24 | 25 | 26 | -------------------------------------------------------------------------------- /plugin/src/test/resources/testfiles/README.md: -------------------------------------------------------------------------------- 1 | # Testfiles 2 | 3 | This directory only contains fake result files to check if the corresponding reader: 4 | 5 | - is capable of reading the result file structure 6 | - is the only reader that reports itself as matching 7 | 8 | Do NOT paste real data here (especially for commercial tools). 9 | -------------------------------------------------------------------------------- /scripts/verifyBenchmarkPluginAvailable.sh: -------------------------------------------------------------------------------- 1 | # Verify the benchmarkutils plugin is installed. And if not, explain how to install it 2 | mvn -Djava.awt.headless=true -Dplugin=org.owasp:benchmarkutils-maven-plugin help:describe 2>&1 >/dev/null 3 | 4 | if [ $? -ne 0 ] 5 | then 6 | echo "" 7 | echo "!!!WARNING: Required plugin: org.owasp:benchmarkutils-maven-plugin not available." 8 | echo "To get and install it, do the following:" 9 | echo " git clone https://github.com/OWASP-Benchmark/BenchmarkUtils.git" 10 | echo " cd BenchmarkUtils" 11 | echo " mvn install" 12 | echo "" 13 | echo "This installs the plugin in your local Maven repo, and it can then be used from anywhere." 14 | echo "" 15 | exit -1 16 | fi 17 | 18 | --------------------------------------------------------------------------------