SONAR-20333 Update security reports with CWE Top 25 2023

author Matteo Mara <matteo.mara@sonarsource.com>

Wed, 27 Sep 2023 16:09:19 +0000 (18:09 +0200)

committer sonartech <sonartech@sonarsource.com>

Fri, 29 Sep 2023 20:02:47 +0000 (20:02 +0000)
author Matteo Mara <matteo.mara@sonarsource.com>
Wed, 27 Sep 2023 16:09:19 +0000 (18:09 +0200)
committer sonartech <sonartech@sonarsource.com>
Fri, 29 Sep 2023 20:02:47 +0000 (20:02 +0000)
diff --git a/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java b/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java

index 767c1ac314c6a8bfcd2c122f13a34a59abc9f8bd..cd78ac5e6cadf3247e568491bd7b78ef774f8ff4 100644 (file)
--- a/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java
+++ b/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java
@@ -88,10 +88,6 @@ public final class SecurityStandards {
      SANS_TOP_25_RISKY_RESOURCE, RISKY_CWE,
      SANS_TOP_25_POROUS_DEFENSES, POROUS_CWE);
  
-  // https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html
-  public static final List<String> CWE_TOP25_2020 = List.of("79", "787", "20", "125", "119", "89", "200", "416", "352", "78", "190", "22", "476", "287",
-    "434", "732", "94", "522", "611", "798", "502", "269", "400", "306", "862");
-
    // https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html
    public static final List<String> CWE_TOP25_2021 = List.of("787", "79", "125", "20", "78", "89", "416", "22", "352", "434", "306", "190", "502", "287", "476",
      "798", "119", "862", "276", "200", "522", "732", "611", "918", "77");
@@ -100,14 +96,18 @@ public final class SecurityStandards {
    public static final List<String> CWE_TOP25_2022 = List.of("787", "79", "89", "20", "125", "78", "416", "22", "352", "434", "476", "502", "190", "287", "798",
      "862", "77", "306", "119", "276", "918", "362", "400", "611", "94");
  
-  public static final String CWE_YEAR_2020 = "2020";
+  // https://cwe.mitre.org/top25/archive/2023/2023_top25_list.html#tableView
+  public static final List<String> CWE_TOP25_2023 = List.of("787", "79", "89", "416", "78",  "20", "125", "22", "352", "434", "862", "476", "287", "190", "502",
+    "77", "119", "798", "918", "306", "362", "269", "94", "863", "276");
+
    public static final String CWE_YEAR_2021 = "2021";
    public static final String CWE_YEAR_2022 = "2022";
+  public static final String CWE_YEAR_2023 = "2023";
  
    public static final Map<String, List<String>> CWES_BY_CWE_TOP_25 = Map.of(
-    CWE_YEAR_2020, CWE_TOP25_2020,
      CWE_YEAR_2021, CWE_TOP25_2021,
-    CWE_YEAR_2022, CWE_TOP25_2022);
+    CWE_YEAR_2022, CWE_TOP25_2022,
+    CWE_YEAR_2023, CWE_TOP25_2023);
  
    private static final List<String> OWASP_ASVS_40_LEVEL_1 = List.of("2.1.1", "2.1.10", "2.1.11", "2.1.12", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.1.6", "2.1.7", "2.1.8", "2.1.9",
      "2.10.1", "2.10.2", "2.10.3", "2.10.4", "2.2.1", "2.2.2", "2.2.3", "2.3.1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.5.6", "2.7.1", "2.7.2", "2.7.3", "2.7.4", "2.8.1",
diff --git a/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java b/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java

index 0ff92fd6965020fb180bdfa66be5f1e340282d2e..535fae2a23b42583f9bc5cc328df07fd50beecdc 100644 (file)
--- a/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java
+++ b/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java
@@ -40,9 +40,9 @@ import static java.util.stream.Collectors.toList;
  import static org.assertj.core.api.Assertions.assertThat;
  import static org.assertj.core.api.Assertions.tuple;
  import static org.sonar.api.server.rule.RulesDefinition.OwaspAsvsVersion;
-import static org.sonar.api.server.rule.RulesDefinition.PciDssVersion;
  import static org.sonar.api.server.rule.RulesDefinition.OwaspTop10Version.Y2017;
  import static org.sonar.api.server.rule.RulesDefinition.OwaspTop10Version.Y2021;
+import static org.sonar.api.server.rule.RulesDefinition.PciDssVersion;
  import static org.sonar.db.component.ComponentTesting.newPrivateProjectDto;
  import static org.sonar.server.issue.IssueDocTesting.newDocForProject;
  import static org.sonar.server.security.SecurityStandards.UNKNOWN_STANDARD;
@@ -586,28 +586,7 @@ public class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
        .map(SecurityStandardCategoryStatistics::getCategory)
        .collect(toList());
  
-    assertThat(listOfYears).contains("2020", "2021", "2022");
-
-    SecurityStandardCategoryStatistics cwe2020 = cweTop25Reports.stream()
-      .filter(s -> s.getCategory().equals("2020"))
-      .findAny().get();
-    assertThat(cwe2020.getChildren()).hasSize(25);
-    assertThat(findRuleInCweByYear(cwe2020, "119")).isNotNull()
-      .extracting(SecurityStandardCategoryStatistics::getVulnerabilities,
-        SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
-        SecurityStandardCategoryStatistics::getReviewedSecurityHotspots)
-      .containsExactlyInAnyOrder(1L, 0L, 0L);
-    assertThat(findRuleInCweByYear(cwe2020, "89")).isNotNull()
-      .extracting(SecurityStandardCategoryStatistics::getVulnerabilities,
-        SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
-        SecurityStandardCategoryStatistics::getReviewedSecurityHotspots)
-      .containsExactlyInAnyOrder(0L, 1L, 0L);
-    assertThat(findRuleInCweByYear(cwe2020, "862")).isNotNull()
-      .extracting(SecurityStandardCategoryStatistics::getVulnerabilities,
-        SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
-        SecurityStandardCategoryStatistics::getReviewedSecurityHotspots)
-      .containsExactlyInAnyOrder(1L, 0L, 0L);
-    assertThat(findRuleInCweByYear(cwe2020, "999")).isNull();
+    assertThat(listOfYears).contains("2021", "2022", "2023");
  
      SecurityStandardCategoryStatistics cwe2021 = cweTop25Reports.stream()
        .filter(s -> s.getCategory().equals("2021"))
@@ -642,6 +621,27 @@ public class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
        .containsExactlyInAnyOrder(0L, 1L, 0L);
      assertThat(findRuleInCweByYear(cwe2022, "950")).isNull();
      assertThat(findRuleInCweByYear(cwe2022, "999")).isNull();
+
+    SecurityStandardCategoryStatistics cwe2023 = cweTop25Reports.stream()
+      .filter(s -> s.getCategory().equals("2023"))
+      .findAny().get();
+    assertThat(cwe2023.getChildren()).hasSize(25);
+    assertThat(findRuleInCweByYear(cwe2023, "119")).isNotNull()
+      .extracting(SecurityStandardCategoryStatistics::getVulnerabilities,
+        SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
+        SecurityStandardCategoryStatistics::getReviewedSecurityHotspots)
+      .containsExactlyInAnyOrder(1L, 0L, 0L);
+    assertThat(findRuleInCweByYear(cwe2023, "89")).isNotNull()
+      .extracting(SecurityStandardCategoryStatistics::getVulnerabilities,
+        SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
+        SecurityStandardCategoryStatistics::getReviewedSecurityHotspots)
+      .containsExactlyInAnyOrder(0L, 1L, 0L);
+    assertThat(findRuleInCweByYear(cwe2023, "862")).isNotNull()
+      .extracting(SecurityStandardCategoryStatistics::getVulnerabilities,
+        SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
+        SecurityStandardCategoryStatistics::getReviewedSecurityHotspots)
+      .containsExactlyInAnyOrder(1L, 0L, 0L);
+    assertThat(findRuleInCweByYear(cwe2023, "999")).isNull();
    }
  
    @Test
@@ -670,28 +670,7 @@ public class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
        .map(SecurityStandardCategoryStatistics::getCategory)
        .collect(toList());
  
-    assertThat(listOfYears).contains("2020", "2021", "2022");
-
-    SecurityStandardCategoryStatistics cwe2020 = cweTop25Reports.stream()
-      .filter(s -> s.getCategory().equals("2020"))
-      .findAny().get();
-    assertThat(cwe2020.getChildren()).hasSize(25);
-    assertThat(findRuleInCweByYear(cwe2020, "119")).isNotNull()
-      .extracting(SecurityStandardCategoryStatistics::getVulnerabilities,
-        SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
-        SecurityStandardCategoryStatistics::getReviewedSecurityHotspots)
-      .containsExactlyInAnyOrder(2L, 0L, 0L);
-    assertThat(findRuleInCweByYear(cwe2020, "89")).isNotNull()
-      .extracting(SecurityStandardCategoryStatistics::getVulnerabilities,
-        SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
-        SecurityStandardCategoryStatistics::getReviewedSecurityHotspots)
-      .containsExactlyInAnyOrder(0L, 1L, 0L);
-    assertThat(findRuleInCweByYear(cwe2020, "862")).isNotNull()
-      .extracting(SecurityStandardCategoryStatistics::getVulnerabilities,
-        SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
-        SecurityStandardCategoryStatistics::getReviewedSecurityHotspots)
-      .containsExactlyInAnyOrder(1L, 0L, 0L);
-    assertThat(findRuleInCweByYear(cwe2020, "999")).isNull();
+    assertThat(listOfYears).contains("2021", "2022", "2023");
  
      SecurityStandardCategoryStatistics cwe2021 = cweTop25Reports.stream()
        .filter(s -> s.getCategory().equals("2021"))
@@ -728,6 +707,26 @@ public class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
      assertThat(findRuleInCweByYear(cwe2022, "295")).isNull();
      assertThat(findRuleInCweByYear(cwe2022, "999")).isNull();
  
+    SecurityStandardCategoryStatistics cwe2023 = cweTop25Reports.stream()
+      .filter(s -> s.getCategory().equals("2023"))
+      .findAny().get();
+    assertThat(cwe2023.getChildren()).hasSize(25);
+    assertThat(findRuleInCweByYear(cwe2023, "119")).isNotNull()
+      .extracting(SecurityStandardCategoryStatistics::getVulnerabilities,
+        SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
+        SecurityStandardCategoryStatistics::getReviewedSecurityHotspots)
+      .containsExactlyInAnyOrder(2L, 0L, 0L);
+    assertThat(findRuleInCweByYear(cwe2023, "89")).isNotNull()
+      .extracting(SecurityStandardCategoryStatistics::getVulnerabilities,
+        SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
+        SecurityStandardCategoryStatistics::getReviewedSecurityHotspots)
+      .containsExactlyInAnyOrder(0L, 1L, 0L);
+    assertThat(findRuleInCweByYear(cwe2023, "862")).isNotNull()
+      .extracting(SecurityStandardCategoryStatistics::getVulnerabilities,
+        SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
+        SecurityStandardCategoryStatistics::getReviewedSecurityHotspots)
+      .containsExactlyInAnyOrder(1L, 0L, 0L);
+    assertThat(findRuleInCweByYear(cwe2023, "999")).isNull();
    }
  
    private SecurityStandardCategoryStatistics findRuleInCweByYear(SecurityStandardCategoryStatistics statistics, String cweId) {
author	Matteo Mara <matteo.mara@sonarsource.com>
	Wed, 27 Sep 2023 16:09:19 +0000 (18:09 +0200)
committer	sonartech <sonartech@sonarsource.com>
	Fri, 29 Sep 2023 20:02:47 +0000 (20:02 +0000)
server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java		patch \| blob \| history
server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java		patch \| blob \| history