import com.google.common.collect.ImmutableSet;
import java.util.Date;
+import java.util.Set;
import java.util.function.Consumer;
import javax.annotation.Nullable;
import org.sonar.api.rule.RuleKey;
public static Consumer<RuleDefinitionDto> setType(RuleType type) {
return rule -> rule.setType(type);
}
-
+
public static Consumer<RuleDefinitionDto> setIsExternal(boolean isExternal) {
return rule -> rule.setIsExternal(isExternal);
}
+ public static Consumer<RuleDefinitionDto> setSecurityStandards(Set<String> securityStandards) {
+ return rule -> rule.setSecurityStandards(securityStandards);
+ }
+
public static Consumer<RuleDefinitionDto> setIsTemplate(boolean isTemplate) {
return rule -> rule.setIsTemplate(isTemplate);
}
import static com.google.common.base.Preconditions.checkArgument;
import static org.sonar.api.utils.DateUtils.longToDate;
import static org.sonar.db.DatabaseUtils.getLong;
-import static org.sonar.server.issue.index.SecurityStandardHelper.getCwe;
-import static org.sonar.server.issue.index.SecurityStandardHelper.getOwaspTop10;
-import static org.sonar.server.issue.index.SecurityStandardHelper.getSansTop25;
-import static org.sonar.server.issue.index.SecurityStandardHelper.getSecurityStandards;
-import static org.sonar.server.issue.index.SecurityStandardHelper.getSonarSourceSecurityCategories;
+import static org.sonar.server.security.SecurityStandardHelper.getCwe;
+import static org.sonar.server.security.SecurityStandardHelper.getOwaspTop10;
+import static org.sonar.server.security.SecurityStandardHelper.getSansTop25;
+import static org.sonar.server.security.SecurityStandardHelper.getSecurityStandards;
+import static org.sonar.server.security.SecurityStandardHelper.getSonarSourceSecurityCategories;
/**
* Scrolls over table ISSUES and reads documents to populate
+++ /dev/null
-/*
- * SonarQube
- * Copyright (C) 2009-2019 SonarSource SA
- * mailto:info AT sonarsource DOT com
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 3 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- */
-package org.sonar.server.issue.index;
-
-import com.google.common.base.Splitter;
-import com.google.common.collect.ImmutableMap;
-import java.util.Collection;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import javax.annotation.Nullable;
-
-import static java.util.Arrays.asList;
-import static java.util.Collections.emptyList;
-import static java.util.Collections.singletonList;
-import static java.util.stream.Collectors.toList;
-
-public class SecurityStandardHelper {
-
- public static final String UNKNOWN_STANDARD = "unknown";
- public static final String SANS_TOP_25_INSECURE_INTERACTION = "insecure-interaction";
- public static final String SANS_TOP_25_RISKY_RESOURCE = "risky-resource";
- public static final String SANS_TOP_25_POROUS_DEFENSES = "porous-defenses";
-
- private static final String OWASP_TOP10_PREFIX = "owaspTop10:";
- private static final String CWE_PREFIX = "cwe:";
- // See https://www.sans.org/top25-software-errors
- private static final Set<String> INSECURE_CWE = new HashSet<>(asList("89", "78", "79", "434", "352", "601"));
- private static final Set<String> RISKY_CWE = new HashSet<>(asList("120", "22", "494", "829", "676", "131", "134", "190"));
- private static final Set<String> POROUS_CWE = new HashSet<>(asList("306", "862", "798", "311", "807", "250", "863", "732", "327", "307", "759"));
-
-
- public static final Map<String, List<String>> SONARSOURCE_CWE_MAPPING = ImmutableMap.<String, List<String>>builder()
- .put("sql-injection", asList("89", "564"))
- .put("command-injection", asList("78", "77"))
- .put("path-traversal-injection", singletonList("22"))
- .put("ldap-injection", singletonList("90"))
- .put("xpath-injection", singletonList("643"))
- .put("expression-lang-injection", singletonList("917"))
- .put("rce", singletonList("94"))
- .put("dos", singletonList("400"))
- .put("ssrf", singletonList("918"))
- .put("csrf", singletonList("352"))
- .put("xss", asList("79", "80", "81", "82", "83", "84", "85", "86", "87"))
- .put("log-injection", singletonList("117"))
- .put("http-response-splitting", singletonList("113"))
- .put("open-redirect", singletonList("601"))
- .put("xxe", asList("611", "827"))
- .put("object-injection", singletonList("470"))
- .put("weak-cryptography", asList("326", "295", "326", "327", "297", "780", "328", "327"))
- .put("auth", asList("798", "640", "620", "549", "522", "521", "263", "262", "261", "259", "522", "284"))
- .put("insecure-conf", asList("102", "489"))
- .put("file-manipulation", asList("97", "73"))
- .build();
-
- public static final Map<String, Set<String>> SANS_TOP_25_CWE_MAPPING = ImmutableMap.of(
- SANS_TOP_25_INSECURE_INTERACTION, INSECURE_CWE,
- SANS_TOP_25_RISKY_RESOURCE, RISKY_CWE,
- SANS_TOP_25_POROUS_DEFENSES, POROUS_CWE);
-
- private static final Splitter SECURITY_STANDARDS_SPLITTER = Splitter.on(',').trimResults().omitEmptyStrings();
-
- private SecurityStandardHelper() {
- // Utility class
- }
-
- public static List<String> getSecurityStandards(@Nullable String securityStandards) {
- return securityStandards == null ? emptyList() : SECURITY_STANDARDS_SPLITTER.splitToList(securityStandards);
- }
-
- public static List<String> getSansTop25(Collection<String> cwe) {
- return SANS_TOP_25_CWE_MAPPING
- .keySet()
- .stream()
- .filter(k -> cwe.stream().anyMatch(SANS_TOP_25_CWE_MAPPING.get(k)::contains))
- .collect(toList());
- }
-
- public static List<String> getSonarSourceSecurityCategories(Collection<String> cwe) {
- return SONARSOURCE_CWE_MAPPING
- .keySet()
- .stream()
- .filter(k -> cwe.stream().anyMatch(SONARSOURCE_CWE_MAPPING.get(k)::contains))
- .collect(toList());
- }
-
- public static List<String> getOwaspTop10(Collection<String> securityStandards) {
- List<String> result = securityStandards.stream()
- .filter(s -> s.startsWith(OWASP_TOP10_PREFIX))
- .map(s -> s.substring(OWASP_TOP10_PREFIX.length()))
- .collect(toList());
- return result.isEmpty() ? singletonList(UNKNOWN_STANDARD) : result;
- }
-
- public static List<String> getCwe(Collection<String> securityStandards) {
- List<String> result = securityStandards.stream()
- .filter(s -> s.startsWith(CWE_PREFIX))
- .map(s -> s.substring(CWE_PREFIX.length()))
- .collect(toList());
- return result.isEmpty() ? singletonList(UNKNOWN_STANDARD) : result;
- }
-
- public static List<String> getSansTop25(String securityStandards) {
- return getSansTop25(getCwe(getSecurityStandards(securityStandards)));
- }
-
- public static List<String> getSonarSourceSecurityCategories(String securityStandards) {
- return getSonarSourceSecurityCategories(getCwe(getSecurityStandards(securityStandards)));
- }
-
- public static List<String> getOwaspTop10(String securityStandards) {
- return getOwaspTop10(getSecurityStandards(securityStandards));
- }
-
- public static List<String> getCwe(String securityStandards) {
- return getCwe(getSecurityStandards(securityStandards));
- }
-}
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.Maps;
+import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import org.sonar.db.rule.RuleForIndexingDto;
import org.sonar.markdown.Markdown;
import org.sonar.server.es.BaseDoc;
+import org.sonar.server.security.SecurityStandardHelper;
import static org.sonar.server.rule.index.RuleIndexDefinition.TYPE_RULE;
return this;
}
+ @CheckForNull
+ public Collection<String> getOwaspTop10() {
+ return getNullableField(RuleIndexDefinition.FIELD_RULE_OWASP_TOP_10);
+ }
+
+ public RuleDoc setOwaspTop10(@Nullable Collection<String> o) {
+ setField(RuleIndexDefinition.FIELD_RULE_OWASP_TOP_10, o);
+ return this;
+ }
+
+ @CheckForNull
+ public Collection<String> getSansTop25() {
+ return getNullableField(RuleIndexDefinition.FIELD_RULE_SANS_TOP_25);
+ }
+
+ public RuleDoc setSansTop25(@Nullable Collection<String> s) {
+ setField(RuleIndexDefinition.FIELD_RULE_SANS_TOP_25, s);
+ return this;
+ }
+
+ @CheckForNull
+ public Collection<String> getCwe() {
+ return getNullableField(RuleIndexDefinition.FIELD_RULE_CWE);
+ }
+
+ public RuleDoc setCwe(@Nullable Collection<String> c) {
+ setField(RuleIndexDefinition.FIELD_RULE_CWE, c);
+ return this;
+ }
+
+ @CheckForNull
+ public Collection<String> getSonarSourceSecurityCategories() {
+ return getNullableField(RuleIndexDefinition.FIELD_RULE_SONARSOURCE_SECURITY);
+ }
+
+ public RuleDoc setSonarSourceSecurityCategories(@Nullable Collection<String> c) {
+ setField(RuleIndexDefinition.FIELD_RULE_SONARSOURCE_SECURITY, c);
+ return this;
+ }
+
@CheckForNull
public RuleStatus status() {
return RuleStatus.valueOf(getField(RuleIndexDefinition.FIELD_RULE_STATUS));
}
public static RuleDoc of(RuleForIndexingDto dto) {
+ Collection<String> cwe = SecurityStandardHelper.getCwe(dto.getSecurityStandardsAsSet());
RuleDoc ruleDoc = new RuleDoc()
.setId(dto.getId())
.setKey(dto.getRuleKey().toString())
.setIsTemplate(dto.isTemplate())
.setIsExternal(dto.isExternal())
.setLanguage(dto.getLanguage())
+ .setCwe(cwe)
+ .setOwaspTop10(SecurityStandardHelper.getOwaspTop10(dto.getSecurityStandardsAsSet()))
+ .setSansTop25(SecurityStandardHelper.getSansTop25(cwe))
+ .setSonarSourceSecurityCategories(SecurityStandardHelper.getSonarSourceSecurityCategories(cwe))
.setName(dto.getName())
.setRuleKey(dto.getPluginRuleKey())
.setSeverity(dto.getSeverityAsString())
import static org.sonar.server.rule.index.RuleIndexDefinition.FIELD_ACTIVE_RULE_PROFILE_UUID;
import static org.sonar.server.rule.index.RuleIndexDefinition.FIELD_ACTIVE_RULE_SEVERITY;
import static org.sonar.server.rule.index.RuleIndexDefinition.FIELD_RULE_CREATED_AT;
+import static org.sonar.server.rule.index.RuleIndexDefinition.FIELD_RULE_CWE;
import static org.sonar.server.rule.index.RuleIndexDefinition.FIELD_RULE_EXTENSION_SCOPE;
import static org.sonar.server.rule.index.RuleIndexDefinition.FIELD_RULE_EXTENSION_TAGS;
import static org.sonar.server.rule.index.RuleIndexDefinition.FIELD_RULE_HTML_DESCRIPTION;
import static org.sonar.server.rule.index.RuleIndexDefinition.FIELD_RULE_KEY;
import static org.sonar.server.rule.index.RuleIndexDefinition.FIELD_RULE_LANGUAGE;
import static org.sonar.server.rule.index.RuleIndexDefinition.FIELD_RULE_NAME;
+import static org.sonar.server.rule.index.RuleIndexDefinition.FIELD_RULE_OWASP_TOP_10;
import static org.sonar.server.rule.index.RuleIndexDefinition.FIELD_RULE_REPOSITORY;
import static org.sonar.server.rule.index.RuleIndexDefinition.FIELD_RULE_RULE_KEY;
+import static org.sonar.server.rule.index.RuleIndexDefinition.FIELD_RULE_SANS_TOP_25;
import static org.sonar.server.rule.index.RuleIndexDefinition.FIELD_RULE_SEVERITY;
+import static org.sonar.server.rule.index.RuleIndexDefinition.FIELD_RULE_SONARSOURCE_SECURITY;
import static org.sonar.server.rule.index.RuleIndexDefinition.FIELD_RULE_STATUS;
import static org.sonar.server.rule.index.RuleIndexDefinition.FIELD_RULE_TEMPLATE_KEY;
import static org.sonar.server.rule.index.RuleIndexDefinition.FIELD_RULE_TYPE;
public static final String FACET_STATUSES = "statuses";
public static final String FACET_TYPES = "types";
public static final String FACET_OLD_DEFAULT = "true";
+ public static final String FACET_CWE = "cwe";
+ public static final String FACET_SANS_TOP_25 = "sansTop25";
+ public static final String FACET_OWASP_TOP_10 = "owaspTop10";
+ public static final String FACET_SONARSOURCE_SECURITY = "sonarsourceSecurity";
private static final int MAX_FACET_SIZE = 100;
QueryBuilders.termsQuery(FIELD_RULE_SEVERITY, query.getSeverities()));
}
+ if (isNotEmpty(query.getCwe())) {
+ filters.put(FIELD_RULE_CWE,
+ QueryBuilders.termsQuery(FIELD_RULE_CWE, query.getCwe()));
+ }
+
+ if (isNotEmpty(query.getOwaspTop10())) {
+ filters.put(FIELD_RULE_OWASP_TOP_10,
+ QueryBuilders.termsQuery(FIELD_RULE_OWASP_TOP_10, query.getOwaspTop10()));
+ }
+
+ if (isNotEmpty(query.getSansTop25())) {
+ filters.put(FIELD_RULE_SANS_TOP_25,
+ QueryBuilders.termsQuery(FIELD_RULE_SANS_TOP_25, query.getSansTop25()));
+ }
+
+ if (isNotEmpty(query.getSonarsourceSecurity())) {
+ filters.put(FIELD_RULE_SONARSOURCE_SECURITY,
+ QueryBuilders.termsQuery(FIELD_RULE_SONARSOURCE_SECURITY, query.getSonarsourceSecurity()));
+ }
+
if (StringUtils.isNotEmpty(query.getKey())) {
filters.put(FIELD_RULE_KEY,
QueryBuilders.termQuery(FIELD_RULE_KEY, query.getKey()));
stickyFacetBuilder.buildStickyFacet(FIELD_RULE_REPOSITORY, FACET_REPOSITORIES,
(repositories == null) ? (new String[0]) : repositories.toArray()));
}
+
+ addDefaultSecurityFacets(query, options, aggregations, stickyFacetBuilder);
+ }
+
+ private static void addDefaultSecurityFacets(RuleQuery query, SearchOptions options, Map<String, AggregationBuilder> aggregations,
+ StickyFacetBuilder stickyFacetBuilder) {
+ if (options.getFacets().contains(FACET_CWE)) {
+ Collection<String> categories = query.getCwe();
+ aggregations.put(FACET_CWE,
+ stickyFacetBuilder.buildStickyFacet(FIELD_RULE_CWE, FACET_CWE,
+ (categories == null) ? (new String[0]) : categories.toArray()));
+ }
+ if (options.getFacets().contains(FACET_OWASP_TOP_10)) {
+ Collection<String> categories = query.getOwaspTop10();
+ aggregations.put(FACET_OWASP_TOP_10,
+ stickyFacetBuilder.buildStickyFacet(FIELD_RULE_OWASP_TOP_10, FACET_OWASP_TOP_10,
+ (categories == null) ? (new String[0]) : categories.toArray()));
+ }
+ if (options.getFacets().contains(FACET_SANS_TOP_25)) {
+ Collection<String> categories = query.getSansTop25();
+ aggregations.put(FACET_SANS_TOP_25,
+ stickyFacetBuilder.buildStickyFacet(FIELD_RULE_SANS_TOP_25, FACET_SANS_TOP_25,
+ (categories == null) ? (new String[0]) : categories.toArray()));
+ }
+ if (options.getFacets().contains(FACET_SONARSOURCE_SECURITY)) {
+ Collection<String> categories = query.getSonarsourceSecurity();
+ aggregations.put(FACET_SONARSOURCE_SECURITY,
+ stickyFacetBuilder.buildStickyFacet(FIELD_RULE_SONARSOURCE_SECURITY, FACET_SONARSOURCE_SECURITY,
+ (categories == null) ? (new String[0]) : categories.toArray()));
+ }
}
private static void addStatusFacetIfNeeded(SearchOptions options, Map<String, AggregationBuilder> aggregations, StickyFacetBuilder stickyFacetBuilder) {
public static final String FIELD_RULE_TYPE = "type";
public static final String FIELD_RULE_CREATED_AT = "createdAt";
public static final String FIELD_RULE_UPDATED_AT = "updatedAt";
+ public static final String FIELD_RULE_CWE = "cwe";
+ public static final String FIELD_RULE_OWASP_TOP_10 = "owaspTop10";
+ public static final String FIELD_RULE_SANS_TOP_25 = "sansTop25";
+ public static final String FIELD_RULE_SONARSOURCE_SECURITY = "sonarsourceSecurity";
public static final Set<String> SORT_FIELDS = ImmutableSet.of(
FIELD_RULE_NAME,
ruleMapping.createLongField(FIELD_RULE_CREATED_AT);
ruleMapping.createLongField(FIELD_RULE_UPDATED_AT);
+ ruleMapping.keywordFieldBuilder(FIELD_RULE_CWE).disableNorms().build();
+ ruleMapping.keywordFieldBuilder(FIELD_RULE_OWASP_TOP_10).disableNorms().build();
+ ruleMapping.keywordFieldBuilder(FIELD_RULE_SANS_TOP_25).disableNorms().build();
+ ruleMapping.keywordFieldBuilder(FIELD_RULE_SONARSOURCE_SECURITY).disableNorms().build();
+
// Active rule
index.createTypeMapping(TYPE_ACTIVE_RULE)
.keywordFieldBuilder(FIELD_ACTIVE_RULE_ID).disableNorms().build()
private String ruleKey;
private OrganizationDto organization;
private boolean includeExternal;
+ private Collection<String> owaspTop10;
+ private Collection<String> sansTop25;
+ private Collection<String> cwe;
+ private Collection<String> sonarsourceSecurity;
@CheckForNull
public QProfileDto getQProfile() {
this.compareToQProfile = compareToQProfile;
return this;
}
+
+ @CheckForNull
+ public Collection<String> getCwe() {
+ return cwe;
+ }
+
+ public RuleQuery setCwe(@Nullable Collection<String> cwe) {
+ this.cwe = cwe;
+ return this;
+ }
+
+ @CheckForNull
+ public Collection<String> getOwaspTop10() {
+ return owaspTop10;
+ }
+
+ public RuleQuery setOwaspTop10(@Nullable Collection<String> owaspTop10) {
+ this.owaspTop10 = owaspTop10;
+ return this;
+ }
+
+ @CheckForNull
+ public Collection<String> getSansTop25() {
+ return sansTop25;
+ }
+
+ public RuleQuery setSansTop25(@Nullable Collection<String> sansTop25) {
+ this.sansTop25 = sansTop25;
+ return this;
+ }
+
+ @CheckForNull
+ public Collection<String> getSonarsourceSecurity() {
+ return sonarsourceSecurity;
+ }
+
+ public RuleQuery setSonarsourceSecurity(@Nullable Collection<String> sonarsourceSecurity) {
+ this.sonarsourceSecurity = sonarsourceSecurity;
+ return this;
+ }
}
--- /dev/null
+/*
+ * SonarQube
+ * Copyright (C) 2009-2019 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ */
+package org.sonar.server.security;
+
+import com.google.common.base.Splitter;
+import com.google.common.collect.ImmutableMap;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import javax.annotation.Nullable;
+
+import static java.util.Arrays.asList;
+import static java.util.Collections.emptyList;
+import static java.util.Collections.singletonList;
+import static java.util.stream.Collectors.toList;
+
+public class SecurityStandardHelper {
+
+ public static final String UNKNOWN_STANDARD = "unknown";
+ public static final String SANS_TOP_25_INSECURE_INTERACTION = "insecure-interaction";
+ public static final String SANS_TOP_25_RISKY_RESOURCE = "risky-resource";
+ public static final String SANS_TOP_25_POROUS_DEFENSES = "porous-defenses";
+
+ private static final String OWASP_TOP10_PREFIX = "owaspTop10:";
+ private static final String CWE_PREFIX = "cwe:";
+ // See https://www.sans.org/top25-software-errors
+ private static final Set<String> INSECURE_CWE = new HashSet<>(asList("89", "78", "79", "434", "352", "601"));
+ private static final Set<String> RISKY_CWE = new HashSet<>(asList("120", "22", "494", "829", "676", "131", "134", "190"));
+ private static final Set<String> POROUS_CWE = new HashSet<>(asList("306", "862", "798", "311", "807", "250", "863", "732", "327", "307", "759"));
+
+ public static final Map<String, List<String>> SONARSOURCE_CWE_MAPPING = ImmutableMap.<String, List<String>>builder()
+ .put("sql-injection", asList("89", "564"))
+ .put("command-injection", asList("78", "77"))
+ .put("path-traversal-injection", singletonList("22"))
+ .put("ldap-injection", singletonList("90"))
+ .put("xpath-injection", singletonList("643"))
+ .put("expression-lang-injection", singletonList("917"))
+ .put("rce", singletonList("94"))
+ .put("dos", singletonList("400"))
+ .put("ssrf", singletonList("918"))
+ .put("csrf", singletonList("352"))
+ .put("xss", asList("79", "80", "81", "82", "83", "84", "85", "86", "87"))
+ .put("log-injection", singletonList("117"))
+ .put("http-response-splitting", singletonList("113"))
+ .put("open-redirect", singletonList("601"))
+ .put("xxe", asList("611", "827"))
+ .put("object-injection", singletonList("470"))
+ .put("weak-cryptography", asList("326", "295", "326", "327", "297", "780", "328", "327"))
+ .put("auth", asList("798", "640", "620", "549", "522", "521", "263", "262", "261", "259", "284"))
+ .put("insecure-conf", asList("102", "489"))
+ .put("file-manipulation", asList("97", "73"))
+ .build();
+
+ public static final Map<String, Set<String>> SANS_TOP_25_CWE_MAPPING = ImmutableMap.of(
+ SANS_TOP_25_INSECURE_INTERACTION, INSECURE_CWE,
+ SANS_TOP_25_RISKY_RESOURCE, RISKY_CWE,
+ SANS_TOP_25_POROUS_DEFENSES, POROUS_CWE);
+
+ private static final Splitter SECURITY_STANDARDS_SPLITTER = Splitter.on(',').trimResults().omitEmptyStrings();
+
+ private SecurityStandardHelper() {
+ // Utility class
+ }
+
+ public static List<String> getSecurityStandards(@Nullable String securityStandards) {
+ return securityStandards == null ? emptyList() : SECURITY_STANDARDS_SPLITTER.splitToList(securityStandards);
+ }
+
+ public static List<String> getSansTop25(Collection<String> cwe) {
+ return SANS_TOP_25_CWE_MAPPING
+ .keySet()
+ .stream()
+ .filter(k -> cwe.stream().anyMatch(SANS_TOP_25_CWE_MAPPING.get(k)::contains))
+ .collect(toList());
+ }
+
+ public static List<String> getSonarSourceSecurityCategories(Collection<String> cwe) {
+ return SONARSOURCE_CWE_MAPPING
+ .keySet()
+ .stream()
+ .filter(k -> cwe.stream().anyMatch(SONARSOURCE_CWE_MAPPING.get(k)::contains))
+ .collect(toList());
+ }
+
+ public static List<String> getOwaspTop10(Collection<String> securityStandards) {
+ List<String> result = securityStandards.stream()
+ .filter(s -> s.startsWith(OWASP_TOP10_PREFIX))
+ .map(s -> s.substring(OWASP_TOP10_PREFIX.length()))
+ .collect(toList());
+ return result.isEmpty() ? singletonList(UNKNOWN_STANDARD) : result;
+ }
+
+ public static List<String> getCwe(Collection<String> securityStandards) {
+ List<String> result = securityStandards.stream()
+ .filter(s -> s.startsWith(CWE_PREFIX))
+ .map(s -> s.substring(CWE_PREFIX.length()))
+ .collect(toList());
+ return result.isEmpty() ? singletonList(UNKNOWN_STANDARD) : result;
+ }
+
+ public static List<String> getSansTop25(String securityStandards) {
+ return getSansTop25(getCwe(getSecurityStandards(securityStandards)));
+ }
+
+ public static List<String> getSonarSourceSecurityCategories(String securityStandards) {
+ return getSonarSourceSecurityCategories(getCwe(getSecurityStandards(securityStandards)));
+ }
+
+ public static List<String> getOwaspTop10(String securityStandards) {
+ return getOwaspTop10(getSecurityStandards(securityStandards));
+ }
+
+ public static List<String> getCwe(String securityStandards) {
+ return getCwe(getSecurityStandards(securityStandards));
+ }
+}
import static org.sonar.db.component.ComponentTesting.newFileDto;
import static org.sonar.server.issue.IssueDocTesting.newDoc;
import static org.sonar.server.issue.index.IssueIndexDefinition.TYPE_ISSUE;
-import static org.sonar.server.issue.index.SecurityStandardHelper.SANS_TOP_25_POROUS_DEFENSES;
-import static org.sonar.server.issue.index.SecurityStandardHelper.UNKNOWN_STANDARD;
+import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_POROUS_DEFENSES;
+import static org.sonar.server.security.SecurityStandardHelper.UNKNOWN_STANDARD;
import static org.sonar.server.permission.index.IndexAuthorizationConstants.TYPE_AUTHORIZATION;
public class IssueIndexerTest {
import static org.sonar.db.rule.RuleTesting.setOrganization;
import static org.sonar.db.rule.RuleTesting.setRepositoryKey;
import static org.sonar.db.rule.RuleTesting.setRuleKey;
+import static org.sonar.db.rule.RuleTesting.setSecurityStandards;
import static org.sonar.db.rule.RuleTesting.setSeverity;
import static org.sonar.db.rule.RuleTesting.setStatus;
import static org.sonar.db.rule.RuleTesting.setSystemTags;
import static org.sonar.server.rule.index.RuleIndexDefinition.TYPE_ACTIVE_RULE;
import static org.sonar.server.rule.index.RuleIndexDefinition.TYPE_RULE;
import static org.sonar.server.rule.index.RuleIndexDefinition.TYPE_RULE_EXTENSION;
+import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_INSECURE_INTERACTION;
+import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_RISKY_RESOURCE;
public class RuleIndexTest {
RuleDefinitionDto cobol1 = createRule(
setRepositoryKey("cobol"),
setRuleKey("X001"));
- RuleDefinitionDto php2 = createRule(
+ createRule(
setRepositoryKey("php"),
setRuleKey("S002"));
index();
assertThat(underTest.search(query, new SearchOptions()).getIds()).hasSize(2);
}
+ @Test
+ public void search_by_security_cwe() {
+ RuleDefinitionDto rule1 = createRule(setSecurityStandards(of("cwe:543", "cwe:123", "owaspTop10:a1")));
+ RuleDefinitionDto rule2 = createRule(setSecurityStandards(of("cwe:543", "owaspTop10:a1")));
+ createRule(setSecurityStandards(of("owaspTop10:a1")));
+ index();
+
+ RuleQuery query = new RuleQuery().setCwe(of("543"));
+ SearchIdResult<Integer> results = underTest.search(query, new SearchOptions().addFacets("cwe"));
+ assertThat(results.getIds()).containsOnly(rule1.getId(), rule2.getId());
+ }
+
+ @Test
+ public void search_by_security_owaspTop10() {
+ RuleDefinitionDto rule1 = createRule(setSecurityStandards(of("owaspTop10:a1", "owaspTop10:a10", "cwe:543")));
+ RuleDefinitionDto rule2 = createRule(setSecurityStandards(of("owaspTop10:a10", "cwe:543")));
+ createRule(setSecurityStandards(of("cwe:543")));
+ index();
+
+ RuleQuery query = new RuleQuery().setOwaspTop10(of("a5", "a10"));
+ SearchIdResult<Integer> results = underTest.search(query, new SearchOptions().addFacets("owaspTop10"));
+ assertThat(results.getIds()).containsOnly(rule1.getId(), rule2.getId());
+ }
+
+ @Test
+ public void search_by_security_sansTop25() {
+ RuleDefinitionDto rule1 = createRule(setSecurityStandards(of("owaspTop10:a1", "owaspTop10:a10", "cwe:89")));
+ RuleDefinitionDto rule2 = createRule(setSecurityStandards(of("owaspTop10:a10", "cwe:829")));
+ createRule(setSecurityStandards(of("cwe:306")));
+ index();
+
+ RuleQuery query = new RuleQuery().setSansTop25(of(SANS_TOP_25_INSECURE_INTERACTION, SANS_TOP_25_RISKY_RESOURCE));
+ SearchIdResult<Integer> results = underTest.search(query, new SearchOptions().addFacets("sansTop25"));
+ assertThat(results.getIds()).containsOnly(rule1.getId(), rule2.getId());
+ }
+
+ @Test
+ public void search_by_security_sonarsource() {
+ RuleDefinitionDto rule1 = createRule(setSecurityStandards(of("owaspTop10:a1", "owaspTop10:a10", "cwe:89")));
+ createRule(setSecurityStandards(of("owaspTop10:a10", "cwe:829")));
+ RuleDefinitionDto rule3 = createRule(setSecurityStandards(of("cwe:601")));
+ index();
+
+ RuleQuery query = new RuleQuery().setSonarsourceSecurity(of("sql-injection", "open-redirect"));
+ SearchIdResult<Integer> results = underTest.search(query, new SearchOptions().addFacets("sonarsourceSecurity"));
+ assertThat(results.getIds()).containsOnly(rule1.getId(), rule3.getId());
+ }
+
@Test
public void compare_to_another_profile() {
String xoo = "xoo";
@Test
public void languages_facet_should_return_top_100_items() {
- rangeClosed(1, 101).forEach(i -> db.rules().insert(r -> r.setLanguage("lang" + i)));
+ rangeClosed(1, 101).forEach(i -> db.rules().insert(r -> r.setLanguage("lang" + i)));
index();
SearchIdResult result = underTest.search(new RuleQuery(), new SearchOptions().addFacets(singletonList(FACET_LANGUAGES)));
@Test
public void repositories_facet_should_return_top_10_items() {
- rangeClosed(1, 11).forEach(i -> db.rules().insert(r -> r.setRepositoryKey("repo" + i)));
+ rangeClosed(1, 11).forEach(i -> db.rules().insert(r -> r.setRepositoryKey("repo" + i)));
index();
SearchIdResult result = underTest.search(new RuleQuery(), new SearchOptions().addFacets(singletonList(FACET_REPOSITORIES)));
import org.sonar.server.issue.index.IssueQuery.PeriodStart;
import org.sonar.server.permission.index.AuthorizationDoc;
import org.sonar.server.permission.index.WebAuthorizationTypeSupport;
+import org.sonar.server.security.SecurityStandardHelper;
import org.sonar.server.user.UserSession;
import org.sonar.server.view.index.ViewIndexDefinition;
import static org.sonar.server.issue.index.IssueIndexDefinition.FIELD_ISSUE_TAGS;
import static org.sonar.server.issue.index.IssueIndexDefinition.FIELD_ISSUE_TYPE;
import static org.sonar.server.issue.index.IssueIndexDefinition.TYPE_ISSUE;
-import static org.sonar.server.issue.index.SecurityStandardHelper.SANS_TOP_25_INSECURE_INTERACTION;
-import static org.sonar.server.issue.index.SecurityStandardHelper.SANS_TOP_25_POROUS_DEFENSES;
-import static org.sonar.server.issue.index.SecurityStandardHelper.SANS_TOP_25_RISKY_RESOURCE;
-import static org.sonar.server.issue.index.SecurityStandardHelper.UNKNOWN_STANDARD;
+import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_INSECURE_INTERACTION;
+import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_POROUS_DEFENSES;
+import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_RISKY_RESOURCE;
+import static org.sonar.server.security.SecurityStandardHelper.UNKNOWN_STANDARD;
import static org.sonar.server.view.index.ViewIndexDefinition.TYPE_VIEW;
import static org.sonarqube.ws.client.issue.IssuesWsParameters.DEPRECATED_PARAM_AUTHORS;
import static org.sonarqube.ws.client.issue.IssuesWsParameters.FACET_MODE_EFFORT;
import static org.sonar.server.issue.index.IssueIndex.FACET_PROJECTS;
import static org.sonar.server.issue.index.IssueQuery.SORT_BY_ASSIGNEE;
import static org.sonar.server.issue.index.IssueQueryFactory.UNKNOWN;
-import static org.sonar.server.issue.index.SecurityStandardHelper.SANS_TOP_25_INSECURE_INTERACTION;
-import static org.sonar.server.issue.index.SecurityStandardHelper.SANS_TOP_25_POROUS_DEFENSES;
-import static org.sonar.server.issue.index.SecurityStandardHelper.SANS_TOP_25_RISKY_RESOURCE;
-import static org.sonar.server.issue.index.SecurityStandardHelper.SONARSOURCE_CWE_MAPPING;
-import static org.sonar.server.issue.index.SecurityStandardHelper.UNKNOWN_STANDARD;
+import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_INSECURE_INTERACTION;
+import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_POROUS_DEFENSES;
+import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_RISKY_RESOURCE;
+import static org.sonar.server.security.SecurityStandardHelper.SONARSOURCE_CWE_MAPPING;
+import static org.sonar.server.security.SecurityStandardHelper.UNKNOWN_STANDARD;
import static org.sonar.server.ws.KeyExamples.KEY_BRANCH_EXAMPLE_001;
import static org.sonar.server.ws.KeyExamples.KEY_PROJECT_EXAMPLE_001;
import static org.sonar.server.ws.KeyExamples.KEY_PULL_REQUEST_EXAMPLE_001;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_ACTIVE_SEVERITIES;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_AVAILABLE_SINCE;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_COMPARE_TO_PROFILE;
+import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_CWE;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_INCLUDE_EXTERNAL;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_INHERITANCE;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_IS_TEMPLATE;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_LANGUAGES;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_ORGANIZATION;
+import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_OWASP_TOP_10;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_QPROFILE;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_REPOSITORIES;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_RULE_KEY;
+import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_SANS_TOP_25;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_SEVERITIES;
+import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_SONARSOURCE_SECURITY;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_STATUSES;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_TAGS;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_TEMPLATE_KEY;
query.setTemplateKey(request.param(PARAM_TEMPLATE_KEY));
query.setTypes(toEnums(request.paramAsStrings(PARAM_TYPES), RuleType.class));
query.setKey(request.param(PARAM_RULE_KEY));
+ query.setCwe(request.paramAsStrings(PARAM_CWE));
+ query.setOwaspTop10(request.paramAsStrings(PARAM_OWASP_TOP_10));
+ query.setSansTop25(request.paramAsStrings(PARAM_SANS_TOP_25));
+ query.setSonarsourceSecurity(request.paramAsStrings(PARAM_SONARSOURCE_SECURITY));
String sortParam = request.param(WebService.Param.SORT);
if (sortParam != null) {
import org.sonar.db.organization.OrganizationDto;
import org.sonar.db.rule.RuleDto;
import org.sonar.db.user.UserDto;
+import org.sonar.server.security.SecurityStandardHelper;
import org.sonar.server.organization.DefaultOrganizationProvider;
import org.sonar.server.qualityprofile.ActiveRuleInheritance;
import org.sonar.server.rule.index.RuleIndexDefinition;
import static org.sonar.core.util.stream.MoreCollectors.uniqueIndex;
import static org.sonar.db.organization.OrganizationDto.Subscription.PAID;
import static org.sonar.db.permission.OrganizationPermission.ADMINISTER_QUALITY_PROFILES;
+import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_CWE_MAPPING;
+import static org.sonar.server.security.SecurityStandardHelper.UNKNOWN_STANDARD;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_ACTIVATION;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_ACTIVE_SEVERITIES;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_AVAILABLE_SINCE;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_COMPARE_TO_PROFILE;
+import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_CWE;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_INCLUDE_EXTERNAL;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_INHERITANCE;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_IS_TEMPLATE;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_LANGUAGES;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_ORGANIZATION;
+import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_OWASP_TOP_10;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_QPROFILE;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_REPOSITORIES;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_RULE_KEY;
+import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_SANS_TOP_25;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_SEVERITIES;
+import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_SONARSOURCE_SECURITY;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_STATUSES;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_TAGS;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_TEMPLATE_KEY;
.setPossibleValues(Severity.ALL)
.setExampleValue("CRITICAL,BLOCKER");
+ action
+ .createParam(PARAM_CWE)
+ .setDescription("Comma-separated list of CWE identifiers. Use '" + UNKNOWN_STANDARD + "' to select rules not associated to any CWE.")
+ .setExampleValue("12,125," + UNKNOWN_STANDARD);
+
+ action.createParam(PARAM_OWASP_TOP_10)
+ .setDescription("Comma-separated list of OWASP Top 10 lowercase categories. Use '" + UNKNOWN_STANDARD + "' to select rules not associated to any OWASP " +
+ "Top 10 category.")
+ .setSince("7.3")
+ .setPossibleValues("a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9", "a10", UNKNOWN_STANDARD);
+
+ action.createParam(PARAM_SANS_TOP_25)
+ .setDescription("Comma-separated list of SANS Top 25 categories.")
+ .setSince("7.3")
+ .setPossibleValues(SANS_TOP_25_CWE_MAPPING.keySet());
+
+ action
+ .createParam(PARAM_SONARSOURCE_SECURITY)
+ .setDescription("Comma-separated list of SonarSource report categories.")
+ .setPossibleValues(SecurityStandardHelper.SONARSOURCE_CWE_MAPPING.keySet())
+ .setExampleValue("sql-injection,command-injection");
+
action
.createParam(PARAM_LANGUAGES)
.setDescription("Comma-separated list of languages")
.setSince("7.2");
}
-
}
public static final String PARAM_LANGUAGES = "languages";
public static final String PARAM_TAGS = "tags";
public static final String PARAM_TYPES = "types";
+ public static final String PARAM_CWE = "cwe";
+ public static final String PARAM_OWASP_TOP_10 = "owaspTop10";
+ public static final String PARAM_SANS_TOP_25 = "sansTop25";
+ public static final String PARAM_SONARSOURCE_SECURITY = "sonarsourceSecurity";
public static final String PARAM_INHERITANCE = "inheritance";
public static final String PARAM_ACTIVE_SEVERITIES = "active_severities";
public static final String PARAM_IS_TEMPLATE = "is_template";
import static org.sonar.server.es.SearchOptions.MAX_LIMIT;
import static org.sonar.server.rule.index.RuleIndex.ALL_STATUSES_EXCEPT_REMOVED;
import static org.sonar.server.rule.index.RuleIndex.FACET_ACTIVE_SEVERITIES;
+import static org.sonar.server.rule.index.RuleIndex.FACET_CWE;
import static org.sonar.server.rule.index.RuleIndex.FACET_LANGUAGES;
import static org.sonar.server.rule.index.RuleIndex.FACET_OLD_DEFAULT;
+import static org.sonar.server.rule.index.RuleIndex.FACET_OWASP_TOP_10;
import static org.sonar.server.rule.index.RuleIndex.FACET_REPOSITORIES;
+import static org.sonar.server.rule.index.RuleIndex.FACET_SANS_TOP_25;
import static org.sonar.server.rule.index.RuleIndex.FACET_SEVERITIES;
+import static org.sonar.server.rule.index.RuleIndex.FACET_SONARSOURCE_SECURITY;
import static org.sonar.server.rule.index.RuleIndex.FACET_STATUSES;
import static org.sonar.server.rule.index.RuleIndex.FACET_TAGS;
import static org.sonar.server.rule.index.RuleIndex.FACET_TYPES;
import static org.sonar.server.rule.ws.RulesWsParameters.OPTIONAL_FIELDS;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_ACTIVE_SEVERITIES;
+import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_CWE;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_LANGUAGES;
+import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_OWASP_TOP_10;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_REPOSITORIES;
+import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_SANS_TOP_25;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_SEVERITIES;
+import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_SONARSOURCE_SECURITY;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_STATUSES;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_TAGS;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_TYPES;
FACET_ACTIVE_SEVERITIES,
FACET_STATUSES,
FACET_TYPES,
- FACET_OLD_DEFAULT};
+ FACET_OLD_DEFAULT,
+ FACET_CWE,
+ FACET_OWASP_TOP_10,
+ FACET_SANS_TOP_25,
+ FACET_SONARSOURCE_SECURITY};
private final RuleQueryFactory ruleQueryFactory;
private final DbClient dbClient;
addMandatoryFacetValues(results, FACET_ACTIVE_SEVERITIES, Severity.ALL);
addMandatoryFacetValues(results, FACET_TAGS, request.getTags());
addMandatoryFacetValues(results, FACET_TYPES, RuleType.names());
+ addMandatoryFacetValues(results, FACET_CWE, request.getCwe());
+ addMandatoryFacetValues(results, FACET_OWASP_TOP_10, request.getOwaspTop10());
+ addMandatoryFacetValues(results, FACET_SANS_TOP_25, request.getSansTop25());
+ addMandatoryFacetValues(results, FACET_SONARSOURCE_SECURITY, request.getSonarsourceSecurity());
Common.Facet.Builder facet = Common.Facet.newBuilder();
Common.FacetValue.Builder value = Common.FacetValue.newBuilder();
facetValuesByFacetKey.put(FACET_ACTIVE_SEVERITIES, request.getActiveSeverities());
facetValuesByFacetKey.put(FACET_TAGS, request.getTags());
facetValuesByFacetKey.put(FACET_TYPES, request.getTypes());
+ facetValuesByFacetKey.put(FACET_CWE, request.getCwe());
+ facetValuesByFacetKey.put(FACET_OWASP_TOP_10, request.getOwaspTop10());
+ facetValuesByFacetKey.put(FACET_SANS_TOP_25, request.getSansTop25());
+ facetValuesByFacetKey.put(FACET_SONARSOURCE_SECURITY, request.getSonarsourceSecurity());
for (String facetName : context.getFacets()) {
facet.clear().setProperty(facetName);
.setSeverities(request.paramAsStrings(PARAM_SEVERITIES))
.setStatuses(request.paramAsStrings(PARAM_STATUSES))
.setTags(request.paramAsStrings(PARAM_TAGS))
- .setTypes(request.paramAsStrings(PARAM_TYPES));
+ .setTypes(request.paramAsStrings(PARAM_TYPES))
+ .setCwe(request.paramAsStrings(PARAM_CWE))
+ .setOwaspTop10(request.paramAsStrings(PARAM_OWASP_TOP_10))
+ .setSansTop25(request.paramAsStrings(PARAM_SANS_TOP_25))
+ .setSonarsourceSecurity(request.paramAsStrings(PARAM_SONARSOURCE_SECURITY));
}
static class SearchResult {
private List<String> statuses;
private List<String> tags;
private List<String> types;
+ private List<String> cwe;
+ private List<String> owaspTop10;
+ private List<String> sansTop25;
+ private List<String> sonarsourceSecurity;
private SearchRequest setActiveSeverities(List<String> activeSeverities) {
this.activeSeverities = activeSeverities;
return tags;
}
- private SearchRequest setTypes(List<String> types) {
+ private SearchRequest setTypes(@Nullable List<String> types) {
this.types = types;
return this;
}
private List<String> getTypes() {
return types;
}
+
+ public List<String> getCwe() {
+ return cwe;
+ }
+
+ public SearchRequest setCwe(@Nullable List<String> cwe) {
+ this.cwe = cwe;
+ return this;
+ }
+
+ public List<String> getOwaspTop10() {
+ return owaspTop10;
+ }
+
+ public SearchRequest setOwaspTop10(@Nullable List<String> owaspTop10) {
+ this.owaspTop10 = owaspTop10;
+ return this;
+ }
+
+ public List<String> getSansTop25() {
+ return sansTop25;
+ }
+
+ public SearchRequest setSansTop25(@Nullable List<String> sansTop25) {
+ this.sansTop25 = sansTop25;
+ return this;
+ }
+
+ public List<String> getSonarsourceSecurity() {
+ return sonarsourceSecurity;
+ }
+
+ public SearchRequest setSonarsourceSecurity(@Nullable List<String> sonarsourceSecurity) {
+ this.sonarsourceSecurity = sonarsourceSecurity;
+ return this;
+ }
}
}
import org.sonar.server.component.ComponentFinder;
import org.sonar.server.issue.index.IssueIndex;
import org.sonar.server.issue.index.SecurityStandardCategoryStatistics;
-import org.sonar.server.issue.index.SecurityStandardHelper;
+import org.sonar.server.security.SecurityStandardHelper;
import org.sonar.server.qualityprofile.QPMeasureData;
import org.sonar.server.qualityprofile.QualityProfile;
import org.sonar.server.user.UserSession;
import static java.util.stream.Collectors.toList;
import static org.sonar.api.measures.CoreMetrics.QUALITY_PROFILES_KEY;
import static org.sonar.api.web.UserRole.USER;
-import static org.sonar.server.issue.index.SecurityStandardHelper.UNKNOWN_STANDARD;
-import static org.sonar.server.issue.index.SecurityStandardHelper.getCwe;
-import static org.sonar.server.issue.index.SecurityStandardHelper.getOwaspTop10;
-import static org.sonar.server.issue.index.SecurityStandardHelper.getSansTop25;
-import static org.sonar.server.issue.index.SecurityStandardHelper.getSonarSourceSecurityCategories;
+import static org.sonar.server.security.SecurityStandardHelper.UNKNOWN_STANDARD;
+import static org.sonar.server.security.SecurityStandardHelper.getCwe;
+import static org.sonar.server.security.SecurityStandardHelper.getOwaspTop10;
+import static org.sonar.server.security.SecurityStandardHelper.getSansTop25;
+import static org.sonar.server.security.SecurityStandardHelper.getSonarSourceSecurityCategories;
import static org.sonar.server.ws.WsUtils.writeProtobuf;
import static org.sonarqube.ws.client.issue.IssuesWsParameters.PARAM_OWASP_TOP_10;
import static org.sonarqube.ws.client.issue.IssuesWsParameters.PARAM_SANS_TOP_25;
import static org.sonar.db.component.ComponentTesting.newPrivateProjectDto;
import static org.sonar.db.organization.OrganizationTesting.newOrganizationDto;
import static org.sonar.server.issue.IssueDocTesting.newDoc;
-import static org.sonar.server.issue.index.SecurityStandardHelper.SANS_TOP_25_INSECURE_INTERACTION;
-import static org.sonar.server.issue.index.SecurityStandardHelper.SANS_TOP_25_POROUS_DEFENSES;
-import static org.sonar.server.issue.index.SecurityStandardHelper.SANS_TOP_25_RISKY_RESOURCE;
-import static org.sonar.server.issue.index.SecurityStandardHelper.UNKNOWN_STANDARD;
+import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_INSECURE_INTERACTION;
+import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_POROUS_DEFENSES;
+import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_RISKY_RESOURCE;
+import static org.sonar.server.security.SecurityStandardHelper.UNKNOWN_STANDARD;
public class IssueIndexSecurityReportsTest {
"available_since",
"activation",
"severities",
- "organization");
+ "organization",
+ "cwe",
+ "owaspTop10",
+ "sansTop25",
+ "sonarsourceSecurity");
WebService.Param targetProfile = definition.param("targetKey");
assertThat(targetProfile.deprecatedKey()).isEqualTo("profile_key");
WebService.Param targetSeverity = definition.param("targetSeverity");
"available_since",
"activation",
"severities",
- "organization");
+ "organization",
+ "cwe",
+ "owaspTop10",
+ "sansTop25",
+ "sonarsourceSecurity");
WebService.Param targetProfile = definition.param("targetKey");
assertThat(targetProfile.deprecatedKey()).isEqualTo("profile_key");
}
assertThat(def.since()).isEqualTo("4.4");
assertThat(def.isInternal()).isFalse();
assertThat(def.responseExampleAsString()).isNotEmpty();
- assertThat(def.params()).hasSize(24);
+ assertThat(def.params()).hasSize(28);
WebService.Param compareToProfile = def.param("compareToProfile");
assertThat(compareToProfile.since()).isEqualTo("6.5");