Example 11 with SerecoCodeCallStackElement
use of com.mercedesbenz.sechub.sereco.metadata.SerecoCodeCallStackElement in project sechub by mercedes-benz.
the class CheckmarxV1XMLImporter method importResult.
public SerecoMetaData importResult(String xml) throws IOException {
if (xml == null) {
xml = "";
}
Document document;
try {
document = DocumentHelper.parseText(xml);
} catch (DocumentException e) {
throw new IOException("Import cannot parse xml", e);
}
CheckmarxCategoriesToClassificationConverter categoryConverter = new CheckmarxCategoriesToClassificationConverter();
SerecoMetaData metaData = new SerecoMetaData();
Element checkmarxCxXMLResults = document.getRootElement();
List<Element> queryElements = checkmarxCxXMLResults.elements("Query");
for (Element queryElement : queryElements) {
String name = queryElement.attributeValue("name");
String type = NAME_PATTERN.matcher(name).replaceAll(" ");
String categories = queryElement.attributeValue("categories");
String cweId = queryElement.attributeValue("cweId");
List<Element> resultElements = queryElement.elements("Result");
for (Element resultElement : resultElements) {
String falsePositive = resultElement.attributeValue("FalsePositive");
String deeplink = resultElement.attributeValue("DeepLink");
String severity = resultElement.attributeValue("Severity");
SerecoVulnerability vulnerability = new SerecoVulnerability();
vulnerability.setFalsePositive(Boolean.parseBoolean(falsePositive));
if (vulnerability.isFalsePositive()) {
vulnerability.setFalsePositiveReason("marked directly in security product");
}
vulnerability.setType(type);
if ("Information".equalsIgnoreCase(severity)) {
severity = "info";
}
vulnerability.setSeverity(SerecoSeverity.fromString(severity));
SerecoCodeCallStackElement codeInfo = resolveCodeInfoFromElement(resultElement);
vulnerability.setCode(codeInfo);
vulnerability.setProductResultLink(deeplink);
// at least at the moment we set no description any more
vulnerability.setDescription("");
vulnerability.getClassification().setCwe(cweId);
vulnerability.setScanType(ScanType.CODE_SCAN);
categoryConverter.convert(categories, vulnerability.getClassification());
metaData.getVulnerabilities().add(vulnerability);
}
}
return metaData;
}
Also used :
SerecoVulnerability(com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability)
SerecoCodeCallStackElement(com.mercedesbenz.sechub.sereco.metadata.SerecoCodeCallStackElement)
DocumentException(org.dom4j.DocumentException)
SerecoCodeCallStackElement(com.mercedesbenz.sechub.sereco.metadata.SerecoCodeCallStackElement)
Element(org.dom4j.Element)
IOException(java.io.IOException)
Document(org.dom4j.Document)
SerecoMetaData(com.mercedesbenz.sechub.sereco.metadata.SerecoMetaData)
Example 12 with SerecoCodeCallStackElement
use of com.mercedesbenz.sechub.sereco.metadata.SerecoCodeCallStackElement in project sechub by mercedes-benz.
the class CheckmarxV1XMLImporter method resolveCodeInfoFromElement.
private SerecoCodeCallStackElement resolveCodeInfoFromElement(Element resultElement) {
Element path = resultElement.element("Path");
if (path == null) {
return null;
}
List<Element> pathNodes = path.elements("PathNode");
SerecoCodeCallStackElement initialCodeInfo = null;
SerecoCodeCallStackElement infoBefore = null;
for (Element pathNode : pathNodes) {
SerecoCodeCallStackElement info = new SerecoCodeCallStackElement();
if (initialCodeInfo == null) {
initialCodeInfo = info;
}
fillPathNodeInfo(info, pathNode);
if (infoBefore != null) {
infoBefore.setCalls(info);
}
infoBefore = info;
}
return initialCodeInfo;
}
Also used :
SerecoCodeCallStackElement(com.mercedesbenz.sechub.sereco.metadata.SerecoCodeCallStackElement)
SerecoCodeCallStackElement(com.mercedesbenz.sechub.sereco.metadata.SerecoCodeCallStackElement)
Element(org.dom4j.Element)
Example 13 with SerecoCodeCallStackElement
use of com.mercedesbenz.sechub.sereco.metadata.SerecoCodeCallStackElement in project sechub by mercedes-benz.
the class AssertVulnerabilities method dump.
private static void dump(List<SerecoVulnerability> vulnerabilities) {
StringBuilder sb = new StringBuilder();
SortedMap<Integer, List<SerecoVulnerability>> map = new TreeMap<>();
for (SerecoVulnerability vulnerability : vulnerabilities) {
String cwe = vulnerability.getClassification().getCwe();
if (cwe == null) {
cwe = "0";
}
Integer cweNumber = Integer.valueOf(cwe);
map.computeIfAbsent(cweNumber, (key) -> map.put(key, new ArrayList<SerecoVulnerability>()));
map.get(cweNumber).add(vulnerability);
}
map.values().forEach((list) -> {
SerecoVulnerability firstVulnerabilityInList = list.iterator().next();
sb.append("CWE " + firstVulnerabilityInList.getClassification().getCwe() + " \"" + firstVulnerabilityInList.getType() + "\" found " + list.size()).append(" times:\n");
list.forEach((vulnerability) -> {
sb.append("- CWE=").append(vulnerability.getClassification().getCwe());
sb.append(',').append(SimpleStringUtils.truncateWhenTooLong(vulnerability.getType(), 10));
sb.append("\n");
sb.append(" |->").append(vulnerability);
sb.append("\n");
SerecoCodeCallStackElement element = vulnerability.getCode();
int step = 0;
while (element != null) {
step++;
sb.append(step).append(':');
sb.append(" |-- location=").append(element.getLocation());
sb.append(", line=").append(element.getLine()).append(", column=").append(element.getColumn());
sb.append("\n");
element = element.getCalls();
}
sb.append("\n");
});
});
LOG.info("-----------------------------------------------------------");
LOG.info("----------------------------DUMP---------------------------");
LOG.info("-----------------------------------------------------------");
LOG.info(sb.toString());
LOG.info("-----------------------------------------------------------");
}
Also used :
AtomicInteger(java.util.concurrent.atomic.AtomicInteger)
SerecoVulnerability(com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability)
SerecoCodeCallStackElement(com.mercedesbenz.sechub.sereco.metadata.SerecoCodeCallStackElement)
ArrayList(java.util.ArrayList)
ArrayList(java.util.ArrayList)
List(java.util.List)
TreeMap(java.util.TreeMap)
Example 14 with SerecoCodeCallStackElement
use of com.mercedesbenz.sechub.sereco.metadata.SerecoCodeCallStackElement in project sechub by mercedes-benz.
the class VulnerabilityTestDescriptionBuilder method describe.
public String describe(SerecoVulnerability vulnerability) {
if (vulnerability == null) {
return "null";
}
StringBuilder sb = new StringBuilder();
/* first row */
if (vulnerability.getSeverity() != null) {
sb.append("severity=");
sb.append(vulnerability.getSeverity());
}
if (vulnerability.getClassification() != null) {
sb.append(",cwe=");
sb.append(vulnerability.getClassification().getCwe());
}
if (vulnerability.getType() != null) {
sb.append(",type=");
sb.append(vulnerability.getType());
}
sb.append("\n");
/* additional rows */
if (vulnerability.getScanType() != null) {
sb.append("- scanType:");
sb.append(vulnerability.getScanType());
sb.append("\n");
}
if (vulnerability.getCode() != null) {
sb.append("- code:");
sb.append("\n");
SerecoCodeCallStackElement callstackElement = vulnerability.getCode();
String indention = INDENTION;
while (callstackElement != null) {
sb.append(indention);
sb.append("- location:");
sb.append(callstackElement.getLocation());
sb.append(", line:");
sb.append(callstackElement.getLine());
sb.append(", column:");
sb.append(callstackElement.getColumn());
sb.append("\n");
sb.append(indention);
sb.append("- relevant:");
if (callstackElement.getRelevantPart() != null) {
sb.append(callstackElement.getRelevantPart());
}
sb.append("\n");
sb.append(indention);
sb.append("- source:");
if (callstackElement.getSource() != null) {
sb.append(callstackElement.getSource());
}
sb.append("\n");
indention = indention + INDENTION;
callstackElement = callstackElement.getCalls();
}
sb.append("\n");
}
SerecoWeb web = vulnerability.getWeb();
if (web != null) {
SerecoWebAttack attack = web.getAttack();
if (attack != null) {
sb.append(INDENTION);
sb.append("- attack:");
sb.append(attack);
sb.append("\n");
}
SerecoWebRequest request = web.getRequest();
if (request != null) {
sb.append(INDENTION);
sb.append("- request:");
sb.append(request);
sb.append("\n");
}
SerecoWebResponse response = web.getResponse();
if (response != null) {
sb.append(INDENTION);
sb.append("- response:");
sb.append(response);
sb.append("\n");
}
}
if (vulnerability.getDescription() != null) {
sb.append("- description:");
sb.append(vulnerability.getDescription());
sb.append("\n");
}
if (vulnerability.getClassification() != null) {
sb.append("- classification:");
sb.append(vulnerability.getClassification());
sb.append("\n");
}
/* code parts not inside toString */
return sb.toString();
}
Also used :
SerecoWebAttack(com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack)
SerecoWebRequest(com.mercedesbenz.sechub.sereco.metadata.SerecoWebRequest)
SerecoCodeCallStackElement(com.mercedesbenz.sechub.sereco.metadata.SerecoCodeCallStackElement)
SerecoWebResponse(com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse)
SerecoWeb(com.mercedesbenz.sechub.sereco.metadata.SerecoWeb)
Example 15 with SerecoCodeCallStackElement
use of com.mercedesbenz.sechub.sereco.metadata.SerecoCodeCallStackElement in project sechub by mercedes-benz.
the class SarifV1JSONImporterTest method sarif_report_has_code_info.
@Test
void sarif_report_has_code_info() throws Exception {
/* prepare */
SerecoMetaData result = importerToTest.importResult(sarif_2_1_0_brakeman);
/* execute */
List<SerecoVulnerability> vulnerabilities = result.getVulnerabilities();
SerecoVulnerability vulnerability = fetchFirstNonFalsePositive(vulnerabilities);
SerecoCodeCallStackElement codeInfo = vulnerability.getCode();
/* test */
assertNotNull(codeInfo);
// brakeman does not provide a short description, so fallback to id (which must
assertEquals("BRAKE0102", vulnerability.getType());
// be available)
assertEquals("Rails 5.0.0 `content_tag` does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to Rails 5.0.0.1.", vulnerability.getDescription());
assertEquals("Gemfile.lock", codeInfo.getLocation());
assertEquals(115, codeInfo.getLine().intValue());
assertEquals(32, vulnerabilities.size());
}
Also used :
SerecoVulnerability(com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability)
SerecoCodeCallStackElement(com.mercedesbenz.sechub.sereco.metadata.SerecoCodeCallStackElement)
SerecoMetaData(com.mercedesbenz.sechub.sereco.metadata.SerecoMetaData)
Test(org.junit.jupiter.api.Test)
Aggregations
SerecoCodeCallStackElement (com.mercedesbenz.sechub.sereco.metadata.SerecoCodeCallStackElement)17
SerecoVulnerability (com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability)8
SerecoMetaData (com.mercedesbenz.sechub.sereco.metadata.SerecoMetaData)7
Element (org.dom4j.Element)4
ArrayList (java.util.ArrayList)3
ArtifactContent (com.mercedesbenz.sechub.sarif.model.ArtifactContent)2
ArtifactLocation (com.mercedesbenz.sechub.sarif.model.ArtifactLocation)2
PhysicalLocation (com.mercedesbenz.sechub.sarif.model.PhysicalLocation)2
Region (com.mercedesbenz.sechub.sarif.model.Region)2
SerecoClassification (com.mercedesbenz.sechub.sereco.metadata.SerecoClassification)2
SerecoWeb (com.mercedesbenz.sechub.sereco.metadata.SerecoWeb)2
SerecoWebAttack (com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack)2
SerecoWebRequest (com.mercedesbenz.sechub.sereco.metadata.SerecoWebRequest)2
SerecoWebResponse (com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse)2
IOException (java.io.IOException)2
List (java.util.List)2
SimpleStringUtils (com.mercedesbenz.sechub.commons.core.util.SimpleStringUtils)1
ScanType (com.mercedesbenz.sechub.commons.model.ScanType)1
FalsePositiveCodeMetaData (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveCodeMetaData)1
FalsePositiveCodePartMetaData (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveCodePartMetaData)1
