Examples with FalsePositiveWebMetaData com.mercedesbenz.sechub.domain.scan.project.FalsePositiveWebMetaData used on opensource projects

Search in sources :

Example 1 with FalsePositiveWebMetaData

use of com.mercedesbenz.sechub.domain.scan.project.FalsePositiveWebMetaData in project sechub by mercedes-benz.

the class SerecoFalsePositiveWebScanStrategy method isFalsePositive.

/**
 * Checks if given vulnerability is identified as false positive by given meta
 * data
 *
 * @param vulnerability
 * @param metaData
 * @return <code>true</code> when identified as false positive
 */
public boolean isFalsePositive(SerecoVulnerability vulnerability, FalsePositiveMetaData metaData) {
    notNull(vulnerability, " vulnerability may not be null");
    notNull(metaData, " metaData may not be null");
    /* check supported scan type */
    if (metaData.getScanType() != ScanType.WEB_SCAN) {
        return false;
    }
    if (vulnerability.getScanType() != ScanType.WEB_SCAN) {
        return false;
    }
    SerecoWeb vulnerabilityWeb = vulnerability.getWeb();
    if (vulnerabilityWeb == null) {
        LOG.error("Cannot check web vulnerability for false positives when vulnerability data has no web parts!");
        return false;
    }
    FalsePositiveWebMetaData metaDataWeb = metaData.getWeb();
    if (metaDataWeb == null) {
        LOG.error("Cannot check web vulnerability for false positives when meta data has no web parts!");
        return false;
    }
    /* ---------------------------------------------------- */
    /* -------------------CWE ID--------------------------- */
    /* ---------------------------------------------------- */
    /* for web scans we only use CWE as wellknown common identifier */
    Integer cweId = metaData.getCweId();
    if (cweId == null) {
        LOG.error("Cannot check web vulnerability for false positives web code meta data has no CWE id set!");
        return false;
    }
    SerecoClassification serecoClassification = vulnerability.getClassification();
    String serecoCWE = serecoClassification.getCwe();
    if (serecoCWE == null || serecoCWE.isEmpty()) {
        LOG.error("Code scan sereco vulnerability type:{} found without CWE! Cannot determin false positive! Classification was:{}", vulnerability.getType(), serecoClassification);
        return false;
    }
    try {
        int serecoCWEint = Integer.parseInt(serecoCWE);
        if (cweId.intValue() != serecoCWEint) {
            /* not same type of common vulnerability enumeration - so skip */
            return false;
        }
    } catch (NumberFormatException e) {
        LOG.error("Code scan sereco vulnerability type:{} found CWE:{} but not expected integer format!", vulnerability.getType(), serecoCWE);
        return false;
    }
    boolean sameData = true;
    /* ---------------------------------------------------- */
    /* -------------------NetworkTarget--------------------------- */
    /* ---------------------------------------------------- */
    String metaTarget = metaDataWeb.getRequest().getTarget();
    String vulnerabilityTarget = vulnerabilityWeb.getRequest().getTarget();
    sameData = sameData && SimpleStringUtils.isTrimmedEqual(metaTarget, vulnerabilityTarget);
    /* ---------------------------------------------------- */
    /* -------------------HTTP Method---------------------- */
    /* ---------------------------------------------------- */
    String metaMethod = metaDataWeb.getRequest().getMethod();
    String vulnerabilityMethod = vulnerabilityWeb.getRequest().getMethod();
    sameData = sameData && SimpleStringUtils.isTrimmedEqual(metaMethod, vulnerabilityMethod);
    /* ---------------------------------------------------- */
    /* -------------------Attack vector-------------------- */
    /* ---------------------------------------------------- */
    String metaAttackVector = metaDataWeb.getRequest().getAttackVector();
    SerecoWebAttack attack = vulnerabilityWeb.getAttack();
    String vulnerabilityAttackVector = attack.getVector();
    sameData = sameData && SimpleStringUtils.isTrimmedEqual(metaAttackVector, vulnerabilityAttackVector);
    /* ---------------------------------------------------- */
    /* -------------------Evidence------------------------- */
    /* ---------------------------------------------------- */
    String metaEvidence = metaDataWeb.getResponse().getEvidence();
    SerecoWebEvidence evidence = attack.getEvidence();
    String vulnerabilityEvidence = null;
    if (evidence != null) {
        vulnerabilityEvidence = evidence.getSnippet();
    }
    sameData = sameData && SimpleStringUtils.isTrimmedEqual(metaEvidence, vulnerabilityEvidence);
    return sameData;
}
Also used : SerecoWebAttack(com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack) SerecoWebEvidence(com.mercedesbenz.sechub.sereco.metadata.SerecoWebEvidence) FalsePositiveWebMetaData(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveWebMetaData) SerecoWeb(com.mercedesbenz.sechub.sereco.metadata.SerecoWeb) SerecoClassification(com.mercedesbenz.sechub.sereco.metadata.SerecoClassification)

Example 2 with FalsePositiveWebMetaData

use of com.mercedesbenz.sechub.domain.scan.project.FalsePositiveWebMetaData in project sechub by mercedes-benz.

the class SerecoFalsePositiveWebScanStrategyTest method createValidTestFalsePositiveMetaData.

private FalsePositiveMetaData createValidTestFalsePositiveMetaData() {
    FalsePositiveMetaData metaData = new FalsePositiveMetaData();
    metaData.setCweId(4711);
    metaData.setScanType(ScanType.WEB_SCAN);
    FalsePositiveWebMetaData web = new FalsePositiveWebMetaData();
    metaData.setWeb(web);
    FalsePositiveWebRequestMetaData metaDataWebRequest = web.getRequest();
    metaDataWebRequest.setAttackVector(ATTACK_VECTOR1);
    metaDataWebRequest.setMethod(METHOD1);
    metaDataWebRequest.setProtocol("protocol1");
    metaDataWebRequest.setTarget(TARGET1);
    metaDataWebRequest.setVersion("version1");
    FalsePositiveWebResponseMetaData metaDataWebResponse = web.getResponse();
    metaDataWebResponse.setEvidence(EVIDENCE1);
    return metaData;
}
Also used : FalsePositiveMetaData(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveMetaData) FalsePositiveWebResponseMetaData(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveWebResponseMetaData) FalsePositiveWebMetaData(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveWebMetaData) FalsePositiveWebRequestMetaData(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveWebRequestMetaData)

Aggregations

FalsePositiveWebMetaData (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveWebMetaData)2 FalsePositiveMetaData (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveMetaData)1 FalsePositiveWebRequestMetaData (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveWebRequestMetaData)1 FalsePositiveWebResponseMetaData (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveWebResponseMetaData)1 SerecoClassification (com.mercedesbenz.sechub.sereco.metadata.SerecoClassification)1 SerecoWeb (com.mercedesbenz.sechub.sereco.metadata.SerecoWeb)1 SerecoWebAttack (com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack)1 SerecoWebEvidence (com.mercedesbenz.sechub.sereco.metadata.SerecoWebEvidence)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial