Example 1 with SerecoVulnerability
use of com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability in project sechub by mercedes-benz.
the class IntegrationTestPDSCodeScanImporterTest method when_data_contains_critical_medium_low_info__exact_this_ones_will_be_imported.
@Test
public void when_data_contains_critical_medium_low_info__exact_this_ones_will_be_imported() throws Exception {
/* prepare */
/* @formatter:off */
String data = "#PDS_INTTEST_PRODUCT_CODESCAN\n" + "\n" + "\n" + "CRITICAL:i am a critical error\n" + "MEDIUM:i am a medium error\n" + "LOW:i am just a low error\n" + "INFO:i am just an information";
/* @formatter:on */
/* execute */
SerecoMetaData result = importerToTest.importResult(data);
/* test */
List<SerecoVulnerability> v = result.getVulnerabilities();
assertEquals(4, v.size());
Iterator<SerecoVulnerability> it = v.iterator();
check(SerecoSeverity.CRITICAL, 4, "i am a critical error", it.next());
check(SerecoSeverity.MEDIUM, 5, "i am a medium error", it.next());
check(SerecoSeverity.LOW, 6, "i am just a low error", it.next());
check(SerecoSeverity.INFO, 7, "i am just an information", it.next());
}
Also used :
SerecoVulnerability(com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability)
SerecoMetaData(com.mercedesbenz.sechub.sereco.metadata.SerecoMetaData)
Test(org.junit.Test)
Example 2 with SerecoVulnerability
use of com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability in project sechub by mercedes-benz.
the class AssertVulnerabilitiesTest method healthCheck_empty_strings_but_only_owasp1_set_but_owasp2_as_classification_is_NOT_contained.
@Test
public void healthCheck_empty_strings_but_only_owasp1_set_but_owasp2_as_classification_is_NOT_contained() {
/* prepare */
SerecoVulnerability v = new SerecoVulnerability();
v.getClassification().setOwasp("owasp2");
/* test */
/* @formatter:off */
AssertVulnerabilities.assertVulnerabilities(Collections.singletonList(v)).vulnerability().classifiedBy().owasp("owasp1").and().isNotContained();
/* @formatter:on */
}
Also used :
SerecoVulnerability(com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability)
Test(org.junit.Test)
Example 3 with SerecoVulnerability
use of com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability in project sechub by mercedes-benz.
the class CheckmarxV1XMLImporterTest method xmlReportFromCheckmarxVhasNoDescriptionButCodeInfo.
@Test
public void xmlReportFromCheckmarxVhasNoDescriptionButCodeInfo() throws Exception {
/* prepare */
String xml = SerecoTestFileSupport.INSTANCE.loadTestFile("checkmarx/sechub-continous-integration-with-false-positive.xml");
/* execute */
SerecoMetaData result = importerToTest.importResult(xml);
/* test */
List<SerecoVulnerability> vulnerabilities = result.getVulnerabilities();
SerecoVulnerability v1 = fetchFirstNonFalsePositive(vulnerabilities);
assertEquals(SerecoSeverity.MEDIUM, v1.getSeverity());
assertEquals("", v1.getDescription());
assertEquals(ScanType.CODE_SCAN, v1.getScanType());
SerecoCodeCallStackElement codeInfo = v1.getCode();
assertNotNull(codeInfo);
/*
* v1 is not first entry, because first entry was a false positive which was
* already filtered
*/
assertEquals("com/mercedesbenz/sechub/server/IntegrationTestServerRestController.java", codeInfo.getLocation());
assertEquals(Integer.valueOf(86), codeInfo.getLine());
assertEquals(Integer.valueOf(37), codeInfo.getColumn());
assertEquals(" @PathVariable(\"fileName\") String fileName) throws IOException {", codeInfo.getSource());
assertEquals("fileName", codeInfo.getRelevantPart());
SerecoCodeCallStackElement calls1 = codeInfo.getCalls();
assertNotNull(calls1);
SerecoCodeCallStackElement calls2 = calls1.getCalls();
assertNotNull(calls2);
assertEquals("com/mercedesbenz/sechub/sharedkernel/storage/JobStorage.java", calls2.getLocation());
assertEquals(Integer.valueOf(139), calls2.getLine());
assertEquals(Integer.valueOf(39), calls2.getColumn());
assertEquals(" public String getAbsolutePath(String fileName) {", calls2.getSource());
assertEquals("fileName", codeInfo.getRelevantPart());
}
Also used :
SerecoVulnerability(com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability)
SerecoCodeCallStackElement(com.mercedesbenz.sechub.sereco.metadata.SerecoCodeCallStackElement)
SerecoMetaData(com.mercedesbenz.sechub.sereco.metadata.SerecoMetaData)
Test(org.junit.Test)
Example 4 with SerecoVulnerability
use of com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability in project sechub by mercedes-benz.
the class NetsparkerV1XMLImporterTest method test_xml_import_netsparker_1_9_1_977_contains_specific_vulnerability_with_table.
@Test
public void test_xml_import_netsparker_1_9_1_977_contains_specific_vulnerability_with_table() throws Exception {
/* prepare */
String xml = support.loadTestFile(SerecoTestFileSupport.NETSPARKER_V1_9_1_977_XML_TESTFILE);
/* execute */
SerecoMetaData result = importerToTest.importResult(xml);
List<SerecoVulnerability> vulnerabilities = result.getVulnerabilities();
/* test */
for (SerecoVulnerability vulnerability : vulnerabilities) {
assertEquals(ScanType.WEB_SCAN, vulnerability.getScanType());
}
/* @formatter:off */
assertVulnerabilities(vulnerabilities).vulnerability().withSeverity(SerecoSeverity.MEDIUM).isExactDefinedWebVulnerability().withTarget("https://app.example.org:8082/").and().withType("HstsErrors").classifiedBy().owasp("A5").wasc("15").cwe("16").and().withDescriptionContaining("Netsparker Enterprise detected errors during parsing of Strict-Transport-Security header.\n\n" + ".Table\n" + "|=========================\n" + "| Error | Resolution\n" + "\n" + "| preload directive not present\n" + "| Submit domain for inclusion in browsers' HTTP Strict Transport Security (HSTS) preload list.\n" + "|=========================").isContained();
/* @formatter:on */
}
Also used :
SerecoVulnerability(com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability)
SerecoMetaData(com.mercedesbenz.sechub.sereco.metadata.SerecoMetaData)
Test(org.junit.Test)
Example 5 with SerecoVulnerability
use of com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability in project sechub by mercedes-benz.
the class NetsparkerV1XMLImporterTest method test_xml_import_netsparker_1_9_1_977_contains_specific_vulnerability.
@Test
public void test_xml_import_netsparker_1_9_1_977_contains_specific_vulnerability() throws Exception {
/* prepare */
String xml = support.loadTestFile(SerecoTestFileSupport.NETSPARKER_V1_9_1_977_XML_TESTFILE);
/* execute */
SerecoMetaData result = importerToTest.importResult(xml);
List<SerecoVulnerability> vulnerabilities = result.getVulnerabilities();
/* test */
for (SerecoVulnerability vulnerability : vulnerabilities) {
assertEquals(ScanType.WEB_SCAN, vulnerability.getScanType());
}
/* @formatter:off */
assertVulnerabilities(vulnerabilities).vulnerability().withSeverity(SerecoSeverity.MEDIUM).isExactDefinedWebVulnerability().withTarget("https://app.example.org:8082/").and().withType("InvalidSslCertificate").classifiedBy().owasp("A6").wasc("4").cwe("295").capec("459").pci32("6.5.4").and().withDescriptionContaining("Netsparker Enterprise identified an invalid SSL certificate.\n\n" + "An SSL certificate can be created and signed by anyone. You should have a valid SSL certificate to make your visitors sure about the secure communication between your website and them. If you have an invalid certificate, your visitors will have trouble distinguishing between your certificate and those of attackers.").isContained().vulnerability().enableTrace().withSeverity(SerecoSeverity.MEDIUM).isExactDefinedWebVulnerability().withTarget("http://app.example.org:8082/").and().withType("InsecureHttpUsage").classifiedBy().owasp("A5").wasc("4").and().withDescriptionContaining("Netsparker Enterprise identified that the target website allows web browsers to access to the website over HTTP and doesn't redirect them to HTTPS.\n\n" + "HSTS is implemented in the target website however HTTP requests are not redirected to HTTPS. This decreases the value of HSTS implementation significantly.\n\n" + "For example visitors who haven't visited the HTTPS version of the website previously will not be able to take advantage of HSTS.").isContained();
/* @formatter:on */
}
Also used :
SerecoVulnerability(com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability)
SerecoMetaData(com.mercedesbenz.sechub.sereco.metadata.SerecoMetaData)
Test(org.junit.Test)
Aggregations
SerecoVulnerability (com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability)55
SerecoMetaData (com.mercedesbenz.sechub.sereco.metadata.SerecoMetaData)31
Test (org.junit.Test)27
FalsePositiveMetaData (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveMetaData)12
Test (org.junit.jupiter.api.Test)11
SerecoCodeCallStackElement (com.mercedesbenz.sechub.sereco.metadata.SerecoCodeCallStackElement)7
SerecoClassification (com.mercedesbenz.sechub.sereco.metadata.SerecoClassification)5
ArrayList (java.util.ArrayList)5
SerecoWeb (com.mercedesbenz.sechub.sereco.metadata.SerecoWeb)3
IOException (java.io.IOException)3
Document (org.dom4j.Document)3
DocumentException (org.dom4j.DocumentException)3
Element (org.dom4j.Element)3
ImportParameter (com.mercedesbenz.sechub.sereco.ImportParameter)2
SerecoWebRequest (com.mercedesbenz.sechub.sereco.metadata.SerecoWebRequest)2
ScanType (com.mercedesbenz.sechub.commons.model.ScanType)1
SecHubFinding (com.mercedesbenz.sechub.commons.model.SecHubFinding)1
ReportTransformationResult (com.mercedesbenz.sechub.domain.scan.ReportTransformationResult)1
FalsePositiveEntry (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveEntry)1
FalsePositiveProjectConfiguration (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveProjectConfiguration)1
