Example 6 with SerecoWeb
use of com.mercedesbenz.sechub.sereco.metadata.SerecoWeb in project sechub by mercedes-benz.
the class AssertVulnerabilities method assertWebResponse.
public static void assertWebResponse(SerecoVulnerability toInspect, SerecoWebResponse expectedResponse) {
SerecoWeb vulnerabilityWeb = toInspect.getWeb();
if (vulnerabilityWeb == null) {
fail("vulnerability web is null!");
}
SerecoWebResponse foundResponse = vulnerabilityWeb.getResponse();
if (!expectedResponse.equals(foundResponse)) {
SerecoWebBody body1 = expectedResponse.getBody();
SerecoWebBody body2 = foundResponse.getBody();
internalAssertEquals(expectedResponse.getHeaders(), foundResponse.getHeaders(), "headers not as expected");
internalAssertEquals(body1, body2, "body not as expected");
assertEquals("protocol", expectedResponse.getProtocol(), foundResponse.getProtocol());
assertEquals("version", expectedResponse.getVersion(), foundResponse.getVersion());
assertEquals("reasonPhrase", expectedResponse.getReasonPhrase(), foundResponse.getReasonPhrase());
assertEquals("statusCode", expectedResponse.getStatusCode(), foundResponse.getStatusCode());
fail("not equal but not detectable");
}
}
Also used :
SerecoWebResponse(com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse)
SerecoWebBody(com.mercedesbenz.sechub.sereco.metadata.SerecoWebBody)
SerecoWeb(com.mercedesbenz.sechub.sereco.metadata.SerecoWeb)
Example 7 with SerecoWeb
use of com.mercedesbenz.sechub.sereco.metadata.SerecoWeb in project sechub by mercedes-benz.
the class AssertVulnerabilitiesParamTest method createVulnerabilityWithCurrentTestData.
private SerecoVulnerability createVulnerabilityWithCurrentTestData() {
SerecoVulnerability testVulnerability = new SerecoVulnerability();
testVulnerability.setDescription(currentTestData.get(DESCRIPTION));
testVulnerability.setSeverity(currentTestData.getSeverity());
testVulnerability.setType(currentTestData.get(TYPE));
SerecoWeb web = new SerecoWeb();
web.getRequest().setTarget(currentTestData.get(URL));
testVulnerability.setWeb(web);
SerecoClassification classification = testVulnerability.getClassification();
classification.setOwasp(currentTestData.get(OWASP));
classification.setCapec(currentTestData.get(CAPEC));
classification.setCwe("" + currentTestData.getInt(CWE));
classification.setOwaspProactiveControls(currentTestData.get(OWASPPROACTIVE));
classification.setHipaa(currentTestData.get(HIPAA));
classification.setPci31(currentTestData.get(PCI31));
classification.setPci32(currentTestData.get(PCI32));
return testVulnerability;
}
Also used :
SerecoVulnerability(com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability)
SerecoWeb(com.mercedesbenz.sechub.sereco.metadata.SerecoWeb)
SerecoClassification(com.mercedesbenz.sechub.sereco.metadata.SerecoClassification)
Example 8 with SerecoWeb
use of com.mercedesbenz.sechub.sereco.metadata.SerecoWeb in project sechub by mercedes-benz.
the class VulnerabilityTestDescriptionBuilder method describe.
public String describe(SerecoVulnerability vulnerability) {
if (vulnerability == null) {
return "null";
}
StringBuilder sb = new StringBuilder();
/* first row */
if (vulnerability.getSeverity() != null) {
sb.append("severity=");
sb.append(vulnerability.getSeverity());
}
if (vulnerability.getClassification() != null) {
sb.append(",cwe=");
sb.append(vulnerability.getClassification().getCwe());
}
if (vulnerability.getType() != null) {
sb.append(",type=");
sb.append(vulnerability.getType());
}
sb.append("\n");
/* additional rows */
if (vulnerability.getScanType() != null) {
sb.append("- scanType:");
sb.append(vulnerability.getScanType());
sb.append("\n");
}
if (vulnerability.getCode() != null) {
sb.append("- code:");
sb.append("\n");
SerecoCodeCallStackElement callstackElement = vulnerability.getCode();
String indention = INDENTION;
while (callstackElement != null) {
sb.append(indention);
sb.append("- location:");
sb.append(callstackElement.getLocation());
sb.append(", line:");
sb.append(callstackElement.getLine());
sb.append(", column:");
sb.append(callstackElement.getColumn());
sb.append("\n");
sb.append(indention);
sb.append("- relevant:");
if (callstackElement.getRelevantPart() != null) {
sb.append(callstackElement.getRelevantPart());
}
sb.append("\n");
sb.append(indention);
sb.append("- source:");
if (callstackElement.getSource() != null) {
sb.append(callstackElement.getSource());
}
sb.append("\n");
indention = indention + INDENTION;
callstackElement = callstackElement.getCalls();
}
sb.append("\n");
}
SerecoWeb web = vulnerability.getWeb();
if (web != null) {
SerecoWebAttack attack = web.getAttack();
if (attack != null) {
sb.append(INDENTION);
sb.append("- attack:");
sb.append(attack);
sb.append("\n");
}
SerecoWebRequest request = web.getRequest();
if (request != null) {
sb.append(INDENTION);
sb.append("- request:");
sb.append(request);
sb.append("\n");
}
SerecoWebResponse response = web.getResponse();
if (response != null) {
sb.append(INDENTION);
sb.append("- response:");
sb.append(response);
sb.append("\n");
}
}
if (vulnerability.getDescription() != null) {
sb.append("- description:");
sb.append(vulnerability.getDescription());
sb.append("\n");
}
if (vulnerability.getClassification() != null) {
sb.append("- classification:");
sb.append(vulnerability.getClassification());
sb.append("\n");
}
/* code parts not inside toString */
return sb.toString();
}
Also used :
SerecoWebAttack(com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack)
SerecoWebRequest(com.mercedesbenz.sechub.sereco.metadata.SerecoWebRequest)
SerecoCodeCallStackElement(com.mercedesbenz.sechub.sereco.metadata.SerecoCodeCallStackElement)
SerecoWebResponse(com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse)
SerecoWeb(com.mercedesbenz.sechub.sereco.metadata.SerecoWeb)
Example 9 with SerecoWeb
use of com.mercedesbenz.sechub.sereco.metadata.SerecoWeb in project sechub by mercedes-benz.
the class SerecoFalsePositiveWebScanStrategyTest method createValidTestVulnerability.
private SerecoVulnerability createValidTestVulnerability() {
SerecoVulnerability vulnerability = new SerecoVulnerability();
SerecoWeb web = new SerecoWeb();
vulnerability.getClassification().setCwe("" + CWE_ID_4711);
vulnerability.setWeb(web);
vulnerability.setScanType(ScanType.WEB_SCAN);
SerecoWebRequest request = web.getRequest();
request.setMethod(METHOD1);
request.setTarget(TARGET1);
request.setProtocol("protocol1");
request.setVersion("version1");
web.getResponse().setStatusCode(3333);
web.getAttack().setVector(ATTACK_VECTOR1);
SerecoWebEvidence evidence = new SerecoWebEvidence();
web.getAttack().setEvidence(evidence);
evidence.setSnippet(EVIDENCE1);
return vulnerability;
}
Also used :
SerecoWebEvidence(com.mercedesbenz.sechub.sereco.metadata.SerecoWebEvidence)
SerecoWebRequest(com.mercedesbenz.sechub.sereco.metadata.SerecoWebRequest)
SerecoVulnerability(com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability)
SerecoWeb(com.mercedesbenz.sechub.sereco.metadata.SerecoWeb)
Aggregations
SerecoWeb (com.mercedesbenz.sechub.sereco.metadata.SerecoWeb)9
SerecoWebRequest (com.mercedesbenz.sechub.sereco.metadata.SerecoWebRequest)4
SerecoClassification (com.mercedesbenz.sechub.sereco.metadata.SerecoClassification)3
SerecoVulnerability (com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability)3
SerecoWebAttack (com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack)3
SerecoWebEvidence (com.mercedesbenz.sechub.sereco.metadata.SerecoWebEvidence)3
SerecoWebResponse (com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse)3
SerecoWebBody (com.mercedesbenz.sechub.sereco.metadata.SerecoWebBody)2
SecHubReportWeb (com.mercedesbenz.sechub.commons.model.web.SecHubReportWeb)1
SecHubReportWebAttack (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebAttack)1
SecHubReportWebBodyLocation (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebBodyLocation)1
SecHubReportWebEvidence (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebEvidence)1
SecHubReportWebRequest (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebRequest)1
SecHubReportWebResponse (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebResponse)1
FalsePositiveWebMetaData (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveWebMetaData)1
SerecoCodeCallStackElement (com.mercedesbenz.sechub.sereco.metadata.SerecoCodeCallStackElement)1
SerecoMetaData (com.mercedesbenz.sechub.sereco.metadata.SerecoMetaData)1
SerecoWebBodyLocation (com.mercedesbenz.sechub.sereco.metadata.SerecoWebBodyLocation)1
IOException (java.io.IOException)1
Document (org.dom4j.Document)1
