Search in sources :

Example 1 with SerecoWebEvidence

use of com.mercedesbenz.sechub.sereco.metadata.SerecoWebEvidence in project sechub by mercedes-benz.

the class SerecoFalsePositiveWebScanStrategy method isFalsePositive.

/**
 * Checks if given vulnerability is identified as false positive by given meta
 * data
 *
 * @param vulnerability
 * @param metaData
 * @return <code>true</code> when identified as false positive
 */
public boolean isFalsePositive(SerecoVulnerability vulnerability, FalsePositiveMetaData metaData) {
    notNull(vulnerability, " vulnerability may not be null");
    notNull(metaData, " metaData may not be null");
    /* check supported scan type */
    if (metaData.getScanType() != ScanType.WEB_SCAN) {
        return false;
    }
    if (vulnerability.getScanType() != ScanType.WEB_SCAN) {
        return false;
    }
    SerecoWeb vulnerabilityWeb = vulnerability.getWeb();
    if (vulnerabilityWeb == null) {
        LOG.error("Cannot check web vulnerability for false positives when vulnerability data has no web parts!");
        return false;
    }
    FalsePositiveWebMetaData metaDataWeb = metaData.getWeb();
    if (metaDataWeb == null) {
        LOG.error("Cannot check web vulnerability for false positives when meta data has no web parts!");
        return false;
    }
    /* ---------------------------------------------------- */
    /* -------------------CWE ID--------------------------- */
    /* ---------------------------------------------------- */
    /* for web scans we only use CWE as wellknown common identifier */
    Integer cweId = metaData.getCweId();
    if (cweId == null) {
        LOG.error("Cannot check web vulnerability for false positives web code meta data has no CWE id set!");
        return false;
    }
    SerecoClassification serecoClassification = vulnerability.getClassification();
    String serecoCWE = serecoClassification.getCwe();
    if (serecoCWE == null || serecoCWE.isEmpty()) {
        LOG.error("Code scan sereco vulnerability type:{} found without CWE! Cannot determin false positive! Classification was:{}", vulnerability.getType(), serecoClassification);
        return false;
    }
    try {
        int serecoCWEint = Integer.parseInt(serecoCWE);
        if (cweId.intValue() != serecoCWEint) {
            /* not same type of common vulnerability enumeration - so skip */
            return false;
        }
    } catch (NumberFormatException e) {
        LOG.error("Code scan sereco vulnerability type:{} found CWE:{} but not expected integer format!", vulnerability.getType(), serecoCWE);
        return false;
    }
    boolean sameData = true;
    /* ---------------------------------------------------- */
    /* -------------------NetworkTarget--------------------------- */
    /* ---------------------------------------------------- */
    String metaTarget = metaDataWeb.getRequest().getTarget();
    String vulnerabilityTarget = vulnerabilityWeb.getRequest().getTarget();
    sameData = sameData && SimpleStringUtils.isTrimmedEqual(metaTarget, vulnerabilityTarget);
    /* ---------------------------------------------------- */
    /* -------------------HTTP Method---------------------- */
    /* ---------------------------------------------------- */
    String metaMethod = metaDataWeb.getRequest().getMethod();
    String vulnerabilityMethod = vulnerabilityWeb.getRequest().getMethod();
    sameData = sameData && SimpleStringUtils.isTrimmedEqual(metaMethod, vulnerabilityMethod);
    /* ---------------------------------------------------- */
    /* -------------------Attack vector-------------------- */
    /* ---------------------------------------------------- */
    String metaAttackVector = metaDataWeb.getRequest().getAttackVector();
    SerecoWebAttack attack = vulnerabilityWeb.getAttack();
    String vulnerabilityAttackVector = attack.getVector();
    sameData = sameData && SimpleStringUtils.isTrimmedEqual(metaAttackVector, vulnerabilityAttackVector);
    /* ---------------------------------------------------- */
    /* -------------------Evidence------------------------- */
    /* ---------------------------------------------------- */
    String metaEvidence = metaDataWeb.getResponse().getEvidence();
    SerecoWebEvidence evidence = attack.getEvidence();
    String vulnerabilityEvidence = null;
    if (evidence != null) {
        vulnerabilityEvidence = evidence.getSnippet();
    }
    sameData = sameData && SimpleStringUtils.isTrimmedEqual(metaEvidence, vulnerabilityEvidence);
    return sameData;
}
Also used : SerecoWebAttack(com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack) SerecoWebEvidence(com.mercedesbenz.sechub.sereco.metadata.SerecoWebEvidence) FalsePositiveWebMetaData(com.mercedesbenz.sechub.domain.scan.project.FalsePositiveWebMetaData) SerecoWeb(com.mercedesbenz.sechub.sereco.metadata.SerecoWeb) SerecoClassification(com.mercedesbenz.sechub.sereco.metadata.SerecoClassification)

Example 2 with SerecoWebEvidence

use of com.mercedesbenz.sechub.sereco.metadata.SerecoWebEvidence in project sechub by mercedes-benz.

the class SerecoProductResultTransformer method appendWebData.

private void appendWebData(UUID sechubJobUUID, SerecoVulnerability vulnerability, SecHubFinding finding) {
    SecHubReportWeb sechubWeb = new SecHubReportWeb();
    SecHubReportWebRequest sechubRequest = sechubWeb.getRequest();
    SerecoWeb serecoWeb = vulnerability.getWeb();
    if (serecoWeb == null) {
        LOG.error("Web scan, but vulnerability has no web object inside - must skip finding {} for report with uuid=", finding.getId(), sechubJobUUID);
        return;
    }
    /* request */
    SerecoWebRequest serecoRequest = serecoWeb.getRequest();
    sechubRequest.setProtocol(serecoRequest.getProtocol());
    sechubRequest.setVersion(serecoRequest.getVersion());
    sechubRequest.setTarget(serecoRequest.getTarget());
    sechubRequest.setMethod(serecoRequest.getMethod());
    sechubRequest.getHeaders().putAll(serecoRequest.getHeaders());
    sechubRequest.getBody().setText(serecoRequest.getBody().getText());
    sechubRequest.getBody().setBinary(serecoRequest.getBody().getBinary());
    /* response */
    SerecoWebResponse serecoResponse = serecoWeb.getResponse();
    SecHubReportWebResponse sechubResponse = sechubWeb.getResponse();
    sechubResponse.setStatusCode(serecoResponse.getStatusCode());
    sechubResponse.setReasonPhrase(serecoResponse.getReasonPhrase());
    sechubResponse.setProtocol(serecoResponse.getProtocol());
    sechubResponse.setVersion(serecoResponse.getVersion());
    sechubResponse.getHeaders().putAll(serecoResponse.getHeaders());
    sechubResponse.getBody().setText(serecoResponse.getBody().getText());
    sechubResponse.getBody().setBinary(serecoResponse.getBody().getBinary());
    /* attack */
    SerecoWebAttack serecoAttack = serecoWeb.getAttack();
    SecHubReportWebAttack sechubAttack = sechubWeb.getAttack();
    sechubAttack.setVector(serecoAttack.getVector());
    SerecoWebEvidence serecoEvidence = serecoAttack.getEvidence();
    if (serecoEvidence != null) {
        SecHubReportWebEvidence sechubEvidence = new SecHubReportWebEvidence();
        sechubEvidence.setSnippet(serecoEvidence.getSnippet());
        SerecoWebBodyLocation serecoBodyLocation = serecoEvidence.getBodyLocation();
        if (serecoBodyLocation != null) {
            SecHubReportWebBodyLocation sechubBodyLocation = new SecHubReportWebBodyLocation();
            sechubBodyLocation.setStartLine((serecoBodyLocation.getStartLine()));
            sechubEvidence.setBodyLocation(sechubBodyLocation);
        }
        sechubAttack.setEvidence(sechubEvidence);
    }
    finding.setWeb(sechubWeb);
}
Also used : SerecoWebAttack(com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack) SerecoWebEvidence(com.mercedesbenz.sechub.sereco.metadata.SerecoWebEvidence) SecHubReportWebEvidence(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebEvidence) SerecoWebRequest(com.mercedesbenz.sechub.sereco.metadata.SerecoWebRequest) SecHubReportWebAttack(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebAttack) SecHubReportWebRequest(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebRequest) SecHubReportWebBodyLocation(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebBodyLocation) SecHubReportWeb(com.mercedesbenz.sechub.commons.model.web.SecHubReportWeb) SerecoWebResponse(com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse) SecHubReportWebResponse(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebResponse) SerecoWebBodyLocation(com.mercedesbenz.sechub.sereco.metadata.SerecoWebBodyLocation) SerecoWeb(com.mercedesbenz.sechub.sereco.metadata.SerecoWeb)

Example 3 with SerecoWebEvidence

use of com.mercedesbenz.sechub.sereco.metadata.SerecoWebEvidence in project sechub by mercedes-benz.

the class SarifV1JSONImporter method handleWebAttack.

private void handleWebAttack(Result result, SerecoWeb serecoWeb) {
    List<Location> sarifLocations = result.getLocations();
    if (sarifLocations.size() <= 0) {
        return;
    }
    Location sarifLocation = sarifLocations.iterator().next();
    PhysicalLocation sarifPhysicalLocation = sarifLocation.getPhysicalLocation();
    if (sarifPhysicalLocation == null) {
        return;
    }
    Region sarifRegion = sarifPhysicalLocation.getRegion();
    if (sarifRegion == null) {
        return;
    }
    /* evidence */
    SerecoWebEvidence serecoWebEvidence = new SerecoWebEvidence();
    SerecoWebBodyLocation bodyLocation = new SerecoWebBodyLocation();
    bodyLocation.setStartLine(sarifRegion.getStartLine());
    serecoWebEvidence.setBodyLocation(bodyLocation);
    ArtifactContent sarifSnippet = sarifRegion.getSnippet();
    if (sarifSnippet != null) {
        serecoWebEvidence.setSnippet(sarifSnippet.getText());
    }
    /* attack */
    SerecoWebAttack serecoAttack = serecoWeb.getAttack();
    PropertyBag locationProperties = sarifLocation.getProperties();
    if (locationProperties != null) {
        Object attack = locationProperties.get("attack");
        if (SimpleStringUtils.isNotEmpty(attack)) {
            serecoAttack.setVector(attack.toString());
        }
    }
    serecoAttack.setEvidence(serecoWebEvidence);
}
Also used : SerecoWebEvidence(com.mercedesbenz.sechub.sereco.metadata.SerecoWebEvidence) ArtifactContent(com.mercedesbenz.sechub.sarif.model.ArtifactContent) SerecoWebAttack(com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack) PropertyBag(com.mercedesbenz.sechub.sarif.model.PropertyBag) Region(com.mercedesbenz.sechub.sarif.model.Region) SerecoWebBodyLocation(com.mercedesbenz.sechub.sereco.metadata.SerecoWebBodyLocation) PhysicalLocation(com.mercedesbenz.sechub.sarif.model.PhysicalLocation) Location(com.mercedesbenz.sechub.sarif.model.Location) ArtifactLocation(com.mercedesbenz.sechub.sarif.model.ArtifactLocation) SerecoWebBodyLocation(com.mercedesbenz.sechub.sereco.metadata.SerecoWebBodyLocation) PhysicalLocation(com.mercedesbenz.sechub.sarif.model.PhysicalLocation)

Example 4 with SerecoWebEvidence

use of com.mercedesbenz.sechub.sereco.metadata.SerecoWebEvidence in project sechub by mercedes-benz.

the class SerecoFalsePositiveWebScanStrategyTest method createValidTestVulnerability.

private SerecoVulnerability createValidTestVulnerability() {
    SerecoVulnerability vulnerability = new SerecoVulnerability();
    SerecoWeb web = new SerecoWeb();
    vulnerability.getClassification().setCwe("" + CWE_ID_4711);
    vulnerability.setWeb(web);
    vulnerability.setScanType(ScanType.WEB_SCAN);
    SerecoWebRequest request = web.getRequest();
    request.setMethod(METHOD1);
    request.setTarget(TARGET1);
    request.setProtocol("protocol1");
    request.setVersion("version1");
    web.getResponse().setStatusCode(3333);
    web.getAttack().setVector(ATTACK_VECTOR1);
    SerecoWebEvidence evidence = new SerecoWebEvidence();
    web.getAttack().setEvidence(evidence);
    evidence.setSnippet(EVIDENCE1);
    return vulnerability;
}
Also used : SerecoWebEvidence(com.mercedesbenz.sechub.sereco.metadata.SerecoWebEvidence) SerecoWebRequest(com.mercedesbenz.sechub.sereco.metadata.SerecoWebRequest) SerecoVulnerability(com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability) SerecoWeb(com.mercedesbenz.sechub.sereco.metadata.SerecoWeb)

Aggregations

SerecoWebEvidence (com.mercedesbenz.sechub.sereco.metadata.SerecoWebEvidence)4 SerecoWeb (com.mercedesbenz.sechub.sereco.metadata.SerecoWeb)3 SerecoWebAttack (com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack)3 SerecoWebBodyLocation (com.mercedesbenz.sechub.sereco.metadata.SerecoWebBodyLocation)2 SerecoWebRequest (com.mercedesbenz.sechub.sereco.metadata.SerecoWebRequest)2 SecHubReportWeb (com.mercedesbenz.sechub.commons.model.web.SecHubReportWeb)1 SecHubReportWebAttack (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebAttack)1 SecHubReportWebBodyLocation (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebBodyLocation)1 SecHubReportWebEvidence (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebEvidence)1 SecHubReportWebRequest (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebRequest)1 SecHubReportWebResponse (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebResponse)1 FalsePositiveWebMetaData (com.mercedesbenz.sechub.domain.scan.project.FalsePositiveWebMetaData)1 ArtifactContent (com.mercedesbenz.sechub.sarif.model.ArtifactContent)1 ArtifactLocation (com.mercedesbenz.sechub.sarif.model.ArtifactLocation)1 Location (com.mercedesbenz.sechub.sarif.model.Location)1 PhysicalLocation (com.mercedesbenz.sechub.sarif.model.PhysicalLocation)1 PropertyBag (com.mercedesbenz.sechub.sarif.model.PropertyBag)1 Region (com.mercedesbenz.sechub.sarif.model.Region)1 SerecoClassification (com.mercedesbenz.sechub.sereco.metadata.SerecoClassification)1 SerecoVulnerability (com.mercedesbenz.sechub.sereco.metadata.SerecoVulnerability)1