Examples with SerecoWebAttack com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack used on opensource projects

Search in sources :

Example 1 with SerecoWebAttack

use of com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack in project sechub by mercedes-benz.

the class SerecoFalsePositiveWebScanStrategy method isFalsePositive.

/**
 * Checks if given vulnerability is identified as false positive by given meta
 * data
 *
 * @param vulnerability
 * @param metaData
 * @return <code>true</code> when identified as false positive
 */
public boolean isFalsePositive(SerecoVulnerability vulnerability, FalsePositiveMetaData metaData) {
    notNull(vulnerability, " vulnerability may not be null");
    notNull(metaData, " metaData may not be null");
    /* check supported scan type */
    if (metaData.getScanType() != ScanType.WEB_SCAN) {
        return false;
    }
    if (vulnerability.getScanType() != ScanType.WEB_SCAN) {
        return false;
    }
    SerecoWeb vulnerabilityWeb = vulnerability.getWeb();
    if (vulnerabilityWeb == null) {
        LOG.error("Cannot check web vulnerability for false positives when vulnerability data has no web parts!");
        return false;
    }
    FalsePositiveWebMetaData metaDataWeb = metaData.getWeb();
    if (metaDataWeb == null) {
        LOG.error("Cannot check web vulnerability for false positives when meta data has no web parts!");
        return false;
    }
    /* ---------------------------------------------------- */
    /* -------------------CWE ID--------------------------- */
    /* ---------------------------------------------------- */
    /* for web scans we only use CWE as wellknown common identifier */
    Integer cweId = metaData.getCweId();
    if (cweId == null) {
        LOG.error("Cannot check web vulnerability for false positives web code meta data has no CWE id set!");
        return false;
    }
    SerecoClassification serecoClassification = vulnerability.getClassification();
    String serecoCWE = serecoClassification.getCwe();
    if (serecoCWE == null || serecoCWE.isEmpty()) {
        LOG.error("Code scan sereco vulnerability type:{} found without CWE! Cannot determin false positive! Classification was:{}", vulnerability.getType(), serecoClassification);
        return false;
    }
    try {
        int serecoCWEint = Integer.parseInt(serecoCWE);
        if (cweId.intValue() != serecoCWEint) {
            /* not same type of common vulnerability enumeration - so skip */
            return false;
        }
    } catch (NumberFormatException e) {
        LOG.error("Code scan sereco vulnerability type:{} found CWE:{} but not expected integer format!", vulnerability.getType(), serecoCWE);
        return false;
    }
    boolean sameData = true;
    /* ---------------------------------------------------- */
    /* -------------------NetworkTarget--------------------------- */
    /* ---------------------------------------------------- */
    String metaTarget = metaDataWeb.getRequest().getTarget();
    String vulnerabilityTarget = vulnerabilityWeb.getRequest().getTarget();
    sameData = sameData && SimpleStringUtils.isTrimmedEqual(metaTarget, vulnerabilityTarget);
    /* ---------------------------------------------------- */
    /* -------------------HTTP Method---------------------- */
    /* ---------------------------------------------------- */
    String metaMethod = metaDataWeb.getRequest().getMethod();
    String vulnerabilityMethod = vulnerabilityWeb.getRequest().getMethod();
    sameData = sameData && SimpleStringUtils.isTrimmedEqual(metaMethod, vulnerabilityMethod);
    /* ---------------------------------------------------- */
    /* -------------------Attack vector-------------------- */
    /* ---------------------------------------------------- */
    String metaAttackVector = metaDataWeb.getRequest().getAttackVector();
    SerecoWebAttack attack = vulnerabilityWeb.getAttack();
    String vulnerabilityAttackVector = attack.getVector();
    sameData = sameData && SimpleStringUtils.isTrimmedEqual(metaAttackVector, vulnerabilityAttackVector);
    /* ---------------------------------------------------- */
    /* -------------------Evidence------------------------- */
    /* ---------------------------------------------------- */
    String metaEvidence = metaDataWeb.getResponse().getEvidence();
    SerecoWebEvidence evidence = attack.getEvidence();
    String vulnerabilityEvidence = null;
    if (evidence != null) {
        vulnerabilityEvidence = evidence.getSnippet();
    }
    sameData = sameData && SimpleStringUtils.isTrimmedEqual(metaEvidence, vulnerabilityEvidence);
    return sameData;
}
Also used : SerecoWebAttack(com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack) SerecoWebEvidence(com.mercedesbenz.sechub.sereco.metadata.SerecoWebEvidence) FalsePositiveWebMetaData(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveWebMetaData) SerecoWeb(com.mercedesbenz.sechub.sereco.metadata.SerecoWeb) SerecoClassification(com.mercedesbenz.sechub.sereco.metadata.SerecoClassification)

Example 2 with SerecoWebAttack

use of com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack in project sechub by mercedes-benz.

the class SerecoProductResultTransformer method appendWebData.

private void appendWebData(UUID sechubJobUUID, SerecoVulnerability vulnerability, SecHubFinding finding) {
    SecHubReportWeb sechubWeb = new SecHubReportWeb();
    SecHubReportWebRequest sechubRequest = sechubWeb.getRequest();
    SerecoWeb serecoWeb = vulnerability.getWeb();
    if (serecoWeb == null) {
        LOG.error("Web scan, but vulnerability has no web object inside - must skip finding {} for report with uuid=", finding.getId(), sechubJobUUID);
        return;
    }
    /* request */
    SerecoWebRequest serecoRequest = serecoWeb.getRequest();
    sechubRequest.setProtocol(serecoRequest.getProtocol());
    sechubRequest.setVersion(serecoRequest.getVersion());
    sechubRequest.setTarget(serecoRequest.getTarget());
    sechubRequest.setMethod(serecoRequest.getMethod());
    sechubRequest.getHeaders().putAll(serecoRequest.getHeaders());
    sechubRequest.getBody().setText(serecoRequest.getBody().getText());
    sechubRequest.getBody().setBinary(serecoRequest.getBody().getBinary());
    /* response */
    SerecoWebResponse serecoResponse = serecoWeb.getResponse();
    SecHubReportWebResponse sechubResponse = sechubWeb.getResponse();
    sechubResponse.setStatusCode(serecoResponse.getStatusCode());
    sechubResponse.setReasonPhrase(serecoResponse.getReasonPhrase());
    sechubResponse.setProtocol(serecoResponse.getProtocol());
    sechubResponse.setVersion(serecoResponse.getVersion());
    sechubResponse.getHeaders().putAll(serecoResponse.getHeaders());
    sechubResponse.getBody().setText(serecoResponse.getBody().getText());
    sechubResponse.getBody().setBinary(serecoResponse.getBody().getBinary());
    /* attack */
    SerecoWebAttack serecoAttack = serecoWeb.getAttack();
    SecHubReportWebAttack sechubAttack = sechubWeb.getAttack();
    sechubAttack.setVector(serecoAttack.getVector());
    SerecoWebEvidence serecoEvidence = serecoAttack.getEvidence();
    if (serecoEvidence != null) {
        SecHubReportWebEvidence sechubEvidence = new SecHubReportWebEvidence();
        sechubEvidence.setSnippet(serecoEvidence.getSnippet());
        SerecoWebBodyLocation serecoBodyLocation = serecoEvidence.getBodyLocation();
        if (serecoBodyLocation != null) {
            SecHubReportWebBodyLocation sechubBodyLocation = new SecHubReportWebBodyLocation();
            sechubBodyLocation.setStartLine((serecoBodyLocation.getStartLine()));
            sechubEvidence.setBodyLocation(sechubBodyLocation);
        }
        sechubAttack.setEvidence(sechubEvidence);
    }
    finding.setWeb(sechubWeb);
}
Also used : SerecoWebAttack(com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack) SerecoWebEvidence(com.mercedesbenz.sechub.sereco.metadata.SerecoWebEvidence) SecHubReportWebEvidence(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebEvidence) SerecoWebRequest(com.mercedesbenz.sechub.sereco.metadata.SerecoWebRequest) SecHubReportWebAttack(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebAttack) SecHubReportWebRequest(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebRequest) SecHubReportWebBodyLocation(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebBodyLocation) SecHubReportWeb(com.mercedesbenz.sechub.commons.model.web.SecHubReportWeb) SerecoWebResponse(com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse) SecHubReportWebResponse(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebResponse) SerecoWebBodyLocation(com.mercedesbenz.sechub.sereco.metadata.SerecoWebBodyLocation) SerecoWeb(com.mercedesbenz.sechub.sereco.metadata.SerecoWeb)

Example 3 with SerecoWebAttack

use of com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack in project sechub by mercedes-benz.

the class SarifV1JSONImporter method handleWebAttack.

private void handleWebAttack(Result result, SerecoWeb serecoWeb) {
    List<Location> sarifLocations = result.getLocations();
    if (sarifLocations.size() <= 0) {
        return;
    }
    Location sarifLocation = sarifLocations.iterator().next();
    PhysicalLocation sarifPhysicalLocation = sarifLocation.getPhysicalLocation();
    if (sarifPhysicalLocation == null) {
        return;
    }
    Region sarifRegion = sarifPhysicalLocation.getRegion();
    if (sarifRegion == null) {
        return;
    }
    /* evidence */
    SerecoWebEvidence serecoWebEvidence = new SerecoWebEvidence();
    SerecoWebBodyLocation bodyLocation = new SerecoWebBodyLocation();
    bodyLocation.setStartLine(sarifRegion.getStartLine());
    serecoWebEvidence.setBodyLocation(bodyLocation);
    ArtifactContent sarifSnippet = sarifRegion.getSnippet();
    if (sarifSnippet != null) {
        serecoWebEvidence.setSnippet(sarifSnippet.getText());
    }
    /* attack */
    SerecoWebAttack serecoAttack = serecoWeb.getAttack();
    PropertyBag locationProperties = sarifLocation.getProperties();
    if (locationProperties != null) {
        Object attack = locationProperties.get("attack");
        if (SimpleStringUtils.isNotEmpty(attack)) {
            serecoAttack.setVector(attack.toString());
        }
    }
    serecoAttack.setEvidence(serecoWebEvidence);
}
Also used : SerecoWebEvidence(com.mercedesbenz.sechub.sereco.metadata.SerecoWebEvidence) ArtifactContent(com.mercedesbenz.sechub.sarif.model.ArtifactContent) SerecoWebAttack(com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack) PropertyBag(com.mercedesbenz.sechub.sarif.model.PropertyBag) Region(com.mercedesbenz.sechub.sarif.model.Region) SerecoWebBodyLocation(com.mercedesbenz.sechub.sereco.metadata.SerecoWebBodyLocation) PhysicalLocation(com.mercedesbenz.sechub.sarif.model.PhysicalLocation) Location(com.mercedesbenz.sechub.sarif.model.Location) ArtifactLocation(com.mercedesbenz.sechub.sarif.model.ArtifactLocation) SerecoWebBodyLocation(com.mercedesbenz.sechub.sereco.metadata.SerecoWebBodyLocation) PhysicalLocation(com.mercedesbenz.sechub.sarif.model.PhysicalLocation)

Example 4 with SerecoWebAttack

use of com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack in project sechub by mercedes-benz.

the class VulnerabilityTestDescriptionBuilder method describe.

public String describe(SerecoVulnerability vulnerability) {
    if (vulnerability == null) {
        return "null";
    }
    StringBuilder sb = new StringBuilder();
    /* first row */
    if (vulnerability.getSeverity() != null) {
        sb.append("severity=");
        sb.append(vulnerability.getSeverity());
    }
    if (vulnerability.getClassification() != null) {
        sb.append(",cwe=");
        sb.append(vulnerability.getClassification().getCwe());
    }
    if (vulnerability.getType() != null) {
        sb.append(",type=");
        sb.append(vulnerability.getType());
    }
    sb.append("\n");
    /* additional rows */
    if (vulnerability.getScanType() != null) {
        sb.append("- scanType:");
        sb.append(vulnerability.getScanType());
        sb.append("\n");
    }
    if (vulnerability.getCode() != null) {
        sb.append("- code:");
        sb.append("\n");
        SerecoCodeCallStackElement callstackElement = vulnerability.getCode();
        String indention = INDENTION;
        while (callstackElement != null) {
            sb.append(indention);
            sb.append("- location:");
            sb.append(callstackElement.getLocation());
            sb.append(", line:");
            sb.append(callstackElement.getLine());
            sb.append(", column:");
            sb.append(callstackElement.getColumn());
            sb.append("\n");
            sb.append(indention);
            sb.append("- relevant:");
            if (callstackElement.getRelevantPart() != null) {
                sb.append(callstackElement.getRelevantPart());
            }
            sb.append("\n");
            sb.append(indention);
            sb.append("- source:");
            if (callstackElement.getSource() != null) {
                sb.append(callstackElement.getSource());
            }
            sb.append("\n");
            indention = indention + INDENTION;
            callstackElement = callstackElement.getCalls();
        }
        sb.append("\n");
    }
    SerecoWeb web = vulnerability.getWeb();
    if (web != null) {
        SerecoWebAttack attack = web.getAttack();
        if (attack != null) {
            sb.append(INDENTION);
            sb.append("- attack:");
            sb.append(attack);
            sb.append("\n");
        }
        SerecoWebRequest request = web.getRequest();
        if (request != null) {
            sb.append(INDENTION);
            sb.append("- request:");
            sb.append(request);
            sb.append("\n");
        }
        SerecoWebResponse response = web.getResponse();
        if (response != null) {
            sb.append(INDENTION);
            sb.append("- response:");
            sb.append(response);
            sb.append("\n");
        }
    }
    if (vulnerability.getDescription() != null) {
        sb.append("- description:");
        sb.append(vulnerability.getDescription());
        sb.append("\n");
    }
    if (vulnerability.getClassification() != null) {
        sb.append("- classification:");
        sb.append(vulnerability.getClassification());
        sb.append("\n");
    }
    /* code parts not inside toString */
    return sb.toString();
}
Also used : SerecoWebAttack(com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack) SerecoWebRequest(com.mercedesbenz.sechub.sereco.metadata.SerecoWebRequest) SerecoCodeCallStackElement(com.mercedesbenz.sechub.sereco.metadata.SerecoCodeCallStackElement) SerecoWebResponse(com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse) SerecoWeb(com.mercedesbenz.sechub.sereco.metadata.SerecoWeb)

Aggregations

SerecoWebAttack (com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack)4 SerecoWeb (com.mercedesbenz.sechub.sereco.metadata.SerecoWeb)3 SerecoWebEvidence (com.mercedesbenz.sechub.sereco.metadata.SerecoWebEvidence)3 SerecoWebBodyLocation (com.mercedesbenz.sechub.sereco.metadata.SerecoWebBodyLocation)2 SerecoWebRequest (com.mercedesbenz.sechub.sereco.metadata.SerecoWebRequest)2 SerecoWebResponse (com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse)2 SecHubReportWeb (com.mercedesbenz.sechub.commons.model.web.SecHubReportWeb)1 SecHubReportWebAttack (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebAttack)1 SecHubReportWebBodyLocation (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebBodyLocation)1 SecHubReportWebEvidence (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebEvidence)1 SecHubReportWebRequest (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebRequest)1 SecHubReportWebResponse (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebResponse)1 FalsePositiveWebMetaData (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveWebMetaData)1 ArtifactContent (com.mercedesbenz.sechub.sarif.model.ArtifactContent)1 ArtifactLocation (com.mercedesbenz.sechub.sarif.model.ArtifactLocation)1 Location (com.mercedesbenz.sechub.sarif.model.Location)1 PhysicalLocation (com.mercedesbenz.sechub.sarif.model.PhysicalLocation)1 PropertyBag (com.mercedesbenz.sechub.sarif.model.PropertyBag)1 Region (com.mercedesbenz.sechub.sarif.model.Region)1 SerecoClassification (com.mercedesbenz.sechub.sereco.metadata.SerecoClassification)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial