Examples with SerecoWeb com.mercedesbenz.sechub.sereco.metadata.SerecoWeb used on opensource projects

Search in sources :

Example 1 with SerecoWeb

use of com.mercedesbenz.sechub.sereco.metadata.SerecoWeb in project sechub by mercedes-benz.

the class AssertVulnerabilities method assertWebRequest.

public static void assertWebRequest(SerecoVulnerability toInspect, SerecoWebRequest expectedRequest) {
    SerecoWeb vulnerabilityWeb = toInspect.getWeb();
    if (vulnerabilityWeb == null) {
        fail("vulnerability web is null!");
    }
    SerecoWebRequest foundRequest = vulnerabilityWeb.getRequest();
    if (!expectedRequest.equals(foundRequest)) {
        SerecoWebBody body1 = expectedRequest.getBody();
        SerecoWebBody body2 = foundRequest.getBody();
        internalAssertEquals(expectedRequest.getHeaders(), foundRequest.getHeaders(), "headers not as expected");
        internalAssertEquals(body1, body2, "body not as expected");
        fail("not equal but not detectable");
    }
}
Also used : SerecoWebRequest(com.mercedesbenz.sechub.sereco.metadata.SerecoWebRequest) SerecoWebBody(com.mercedesbenz.sechub.sereco.metadata.SerecoWebBody) SerecoWeb(com.mercedesbenz.sechub.sereco.metadata.SerecoWeb)

Example 2 with SerecoWeb

use of com.mercedesbenz.sechub.sereco.metadata.SerecoWeb in project sechub by mercedes-benz.

the class SarifV1JSONImporter method resolveWebInfoFromResult.

private SerecoWeb resolveWebInfoFromResult(Result result) {
    SerecoWeb serecoWeb = new SerecoWeb();
    handleWebRequest(result, serecoWeb);
    handleWebResponse(result, serecoWeb);
    handleWebAttack(result, serecoWeb);
    return serecoWeb;
}
Also used : SerecoWeb(com.mercedesbenz.sechub.sereco.metadata.SerecoWeb)

Example 3 with SerecoWeb

use of com.mercedesbenz.sechub.sereco.metadata.SerecoWeb in project sechub by mercedes-benz.

the class SerecoFalsePositiveWebScanStrategy method isFalsePositive.

/**
 * Checks if given vulnerability is identified as false positive by given meta
 * data
 *
 * @param vulnerability
 * @param metaData
 * @return <code>true</code> when identified as false positive
 */
public boolean isFalsePositive(SerecoVulnerability vulnerability, FalsePositiveMetaData metaData) {
    notNull(vulnerability, " vulnerability may not be null");
    notNull(metaData, " metaData may not be null");
    /* check supported scan type */
    if (metaData.getScanType() != ScanType.WEB_SCAN) {
        return false;
    }
    if (vulnerability.getScanType() != ScanType.WEB_SCAN) {
        return false;
    }
    SerecoWeb vulnerabilityWeb = vulnerability.getWeb();
    if (vulnerabilityWeb == null) {
        LOG.error("Cannot check web vulnerability for false positives when vulnerability data has no web parts!");
        return false;
    }
    FalsePositiveWebMetaData metaDataWeb = metaData.getWeb();
    if (metaDataWeb == null) {
        LOG.error("Cannot check web vulnerability for false positives when meta data has no web parts!");
        return false;
    }
    /* ---------------------------------------------------- */
    /* -------------------CWE ID--------------------------- */
    /* ---------------------------------------------------- */
    /* for web scans we only use CWE as wellknown common identifier */
    Integer cweId = metaData.getCweId();
    if (cweId == null) {
        LOG.error("Cannot check web vulnerability for false positives web code meta data has no CWE id set!");
        return false;
    }
    SerecoClassification serecoClassification = vulnerability.getClassification();
    String serecoCWE = serecoClassification.getCwe();
    if (serecoCWE == null || serecoCWE.isEmpty()) {
        LOG.error("Code scan sereco vulnerability type:{} found without CWE! Cannot determin false positive! Classification was:{}", vulnerability.getType(), serecoClassification);
        return false;
    }
    try {
        int serecoCWEint = Integer.parseInt(serecoCWE);
        if (cweId.intValue() != serecoCWEint) {
            /* not same type of common vulnerability enumeration - so skip */
            return false;
        }
    } catch (NumberFormatException e) {
        LOG.error("Code scan sereco vulnerability type:{} found CWE:{} but not expected integer format!", vulnerability.getType(), serecoCWE);
        return false;
    }
    boolean sameData = true;
    /* ---------------------------------------------------- */
    /* -------------------NetworkTarget--------------------------- */
    /* ---------------------------------------------------- */
    String metaTarget = metaDataWeb.getRequest().getTarget();
    String vulnerabilityTarget = vulnerabilityWeb.getRequest().getTarget();
    sameData = sameData && SimpleStringUtils.isTrimmedEqual(metaTarget, vulnerabilityTarget);
    /* ---------------------------------------------------- */
    /* -------------------HTTP Method---------------------- */
    /* ---------------------------------------------------- */
    String metaMethod = metaDataWeb.getRequest().getMethod();
    String vulnerabilityMethod = vulnerabilityWeb.getRequest().getMethod();
    sameData = sameData && SimpleStringUtils.isTrimmedEqual(metaMethod, vulnerabilityMethod);
    /* ---------------------------------------------------- */
    /* -------------------Attack vector-------------------- */
    /* ---------------------------------------------------- */
    String metaAttackVector = metaDataWeb.getRequest().getAttackVector();
    SerecoWebAttack attack = vulnerabilityWeb.getAttack();
    String vulnerabilityAttackVector = attack.getVector();
    sameData = sameData && SimpleStringUtils.isTrimmedEqual(metaAttackVector, vulnerabilityAttackVector);
    /* ---------------------------------------------------- */
    /* -------------------Evidence------------------------- */
    /* ---------------------------------------------------- */
    String metaEvidence = metaDataWeb.getResponse().getEvidence();
    SerecoWebEvidence evidence = attack.getEvidence();
    String vulnerabilityEvidence = null;
    if (evidence != null) {
        vulnerabilityEvidence = evidence.getSnippet();
    }
    sameData = sameData && SimpleStringUtils.isTrimmedEqual(metaEvidence, vulnerabilityEvidence);
    return sameData;
}
Also used : SerecoWebAttack(com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack) SerecoWebEvidence(com.mercedesbenz.sechub.sereco.metadata.SerecoWebEvidence) FalsePositiveWebMetaData(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveWebMetaData) SerecoWeb(com.mercedesbenz.sechub.sereco.metadata.SerecoWeb) SerecoClassification(com.mercedesbenz.sechub.sereco.metadata.SerecoClassification)

Example 4 with SerecoWeb

use of com.mercedesbenz.sechub.sereco.metadata.SerecoWeb in project sechub by mercedes-benz.

the class SerecoProductResultTransformer method appendWebData.

private void appendWebData(UUID sechubJobUUID, SerecoVulnerability vulnerability, SecHubFinding finding) {
    SecHubReportWeb sechubWeb = new SecHubReportWeb();
    SecHubReportWebRequest sechubRequest = sechubWeb.getRequest();
    SerecoWeb serecoWeb = vulnerability.getWeb();
    if (serecoWeb == null) {
        LOG.error("Web scan, but vulnerability has no web object inside - must skip finding {} for report with uuid=", finding.getId(), sechubJobUUID);
        return;
    }
    /* request */
    SerecoWebRequest serecoRequest = serecoWeb.getRequest();
    sechubRequest.setProtocol(serecoRequest.getProtocol());
    sechubRequest.setVersion(serecoRequest.getVersion());
    sechubRequest.setTarget(serecoRequest.getTarget());
    sechubRequest.setMethod(serecoRequest.getMethod());
    sechubRequest.getHeaders().putAll(serecoRequest.getHeaders());
    sechubRequest.getBody().setText(serecoRequest.getBody().getText());
    sechubRequest.getBody().setBinary(serecoRequest.getBody().getBinary());
    /* response */
    SerecoWebResponse serecoResponse = serecoWeb.getResponse();
    SecHubReportWebResponse sechubResponse = sechubWeb.getResponse();
    sechubResponse.setStatusCode(serecoResponse.getStatusCode());
    sechubResponse.setReasonPhrase(serecoResponse.getReasonPhrase());
    sechubResponse.setProtocol(serecoResponse.getProtocol());
    sechubResponse.setVersion(serecoResponse.getVersion());
    sechubResponse.getHeaders().putAll(serecoResponse.getHeaders());
    sechubResponse.getBody().setText(serecoResponse.getBody().getText());
    sechubResponse.getBody().setBinary(serecoResponse.getBody().getBinary());
    /* attack */
    SerecoWebAttack serecoAttack = serecoWeb.getAttack();
    SecHubReportWebAttack sechubAttack = sechubWeb.getAttack();
    sechubAttack.setVector(serecoAttack.getVector());
    SerecoWebEvidence serecoEvidence = serecoAttack.getEvidence();
    if (serecoEvidence != null) {
        SecHubReportWebEvidence sechubEvidence = new SecHubReportWebEvidence();
        sechubEvidence.setSnippet(serecoEvidence.getSnippet());
        SerecoWebBodyLocation serecoBodyLocation = serecoEvidence.getBodyLocation();
        if (serecoBodyLocation != null) {
            SecHubReportWebBodyLocation sechubBodyLocation = new SecHubReportWebBodyLocation();
            sechubBodyLocation.setStartLine((serecoBodyLocation.getStartLine()));
            sechubEvidence.setBodyLocation(sechubBodyLocation);
        }
        sechubAttack.setEvidence(sechubEvidence);
    }
    finding.setWeb(sechubWeb);
}
Also used : SerecoWebAttack(com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack) SerecoWebEvidence(com.mercedesbenz.sechub.sereco.metadata.SerecoWebEvidence) SecHubReportWebEvidence(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebEvidence) SerecoWebRequest(com.mercedesbenz.sechub.sereco.metadata.SerecoWebRequest) SecHubReportWebAttack(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebAttack) SecHubReportWebRequest(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebRequest) SecHubReportWebBodyLocation(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebBodyLocation) SecHubReportWeb(com.mercedesbenz.sechub.commons.model.web.SecHubReportWeb) SerecoWebResponse(com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse) SecHubReportWebResponse(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebResponse) SerecoWebBodyLocation(com.mercedesbenz.sechub.sereco.metadata.SerecoWebBodyLocation) SerecoWeb(com.mercedesbenz.sechub.sereco.metadata.SerecoWeb)

Example 5 with SerecoWeb

use of com.mercedesbenz.sechub.sereco.metadata.SerecoWeb in project sechub by mercedes-benz.

the class NetsparkerV1XMLImporter method importResult.

public SerecoMetaData importResult(String xml) throws IOException {
    SerecoMetaData metaData = new SerecoMetaData();
    if (xml == null) {
        xml = "";
    }
    Document document;
    try {
        document = DocumentHelper.parseText(xml);
    } catch (DocumentException e) {
        throw new IOException("Import cannot parse xml", e);
    }
    Element netsparkerCloudElement = document.getRootElement();
    Element vulnerabilitiesElement = netsparkerCloudElement.element("vulnerabilities");
    if (vulnerabilitiesElement == null) {
        throw new IllegalStateException("no vulnerabilities element found!");
    }
    Iterator<Element> it = vulnerabilitiesElement.elementIterator();
    while (it.hasNext()) {
        Element vulnerabilityElement = it.next();
        SerecoVulnerability vulnerability = new SerecoVulnerability();
        metaData.getVulnerabilities().add(vulnerability);
        vulnerability.setSeverity(NetsparkerServerityConverter.convert(vulnerabilityElement.elementText("severity")));
        String targetUrl = vulnerabilityElement.elementText("url");
        SerecoWeb web = new SerecoWeb();
        // at least we set the target URL. Other parts like evidence etc. are currently
        web.getRequest().setTarget(targetUrl);
        // missing
        vulnerability.setWeb(web);
        vulnerability.setType(vulnerabilityElement.elementText("type"));
        vulnerability.setDescription(NetsparkerHtmlToAsciiDocConverter.convert(vulnerabilityElement.elementText("description")));
        vulnerability.setScanType(ScanType.WEB_SCAN);
        Element classificationElement = vulnerabilityElement.element("classification");
        if (classificationElement == null) {
            throw new IllegalStateException("no classificaton element found!");
        }
        SerecoClassification classification = vulnerability.getClassification();
        classification.setOwasp(classificationElement.elementText("owasp"));
        classification.setWasc(classificationElement.elementText("wasc"));
        classification.setCwe(classificationElement.elementText("cwe"));
        classification.setCapec(classificationElement.elementText("capec"));
        classification.setPci31(classificationElement.elementText("pci31"));
        classification.setPci32(classificationElement.elementText("pci32"));
        classification.setHipaa(classificationElement.elementText("hipaa"));
        classification.setOwaspProactiveControls(classificationElement.elementText("owasppc"));
    }
    return metaData;
}
Also used : SerecoVulnerability(com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability) DocumentException(org.dom4j.DocumentException) Element(org.dom4j.Element) IOException(java.io.IOException) SerecoMetaData(com.mercedesbenz.sechub.sereco.metadata.SerecoMetaData) Document(org.dom4j.Document) SerecoWeb(com.mercedesbenz.sechub.sereco.metadata.SerecoWeb) SerecoClassification(com.mercedesbenz.sechub.sereco.metadata.SerecoClassification)

Aggregations

SerecoWeb (com.mercedesbenz.sechub.sereco.metadata.SerecoWeb)9 SerecoWebRequest (com.mercedesbenz.sechub.sereco.metadata.SerecoWebRequest)4 SerecoClassification (com.mercedesbenz.sechub.sereco.metadata.SerecoClassification)3 SerecoVulnerability (com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability)3 SerecoWebAttack (com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack)3 SerecoWebEvidence (com.mercedesbenz.sechub.sereco.metadata.SerecoWebEvidence)3 SerecoWebResponse (com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse)3 SerecoWebBody (com.mercedesbenz.sechub.sereco.metadata.SerecoWebBody)2 SecHubReportWeb (com.mercedesbenz.sechub.commons.model.web.SecHubReportWeb)1 SecHubReportWebAttack (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebAttack)1 SecHubReportWebBodyLocation (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebBodyLocation)1 SecHubReportWebEvidence (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebEvidence)1 SecHubReportWebRequest (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebRequest)1 SecHubReportWebResponse (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebResponse)1 FalsePositiveWebMetaData (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveWebMetaData)1 SerecoCodeCallStackElement (com.mercedesbenz.sechub.sereco.metadata.SerecoCodeCallStackElement)1 SerecoMetaData (com.mercedesbenz.sechub.sereco.metadata.SerecoMetaData)1 SerecoWebBodyLocation (com.mercedesbenz.sechub.sereco.metadata.SerecoWebBodyLocation)1 IOException (java.io.IOException)1 Document (org.dom4j.Document)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial