package org.sonar.server.security;
import com.google.common.base.Splitter;
+import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Ordering;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
.put("insecure-conf", ImmutableSet.of("102", "489"))
.put("file-manipulation", ImmutableSet.of("97", "73"))
.build();
+ public static final String SONARSOURCE_OTHER_CWES_CATEGORY = "others";
+ public static final Ordering<String> SONARSOURCE_CATEGORY_ORDERING = Ordering.explicit(
+ ImmutableList.<String>builder().addAll(SONARSOURCE_CWE_MAPPING.keySet()).add(SONARSOURCE_OTHER_CWES_CATEGORY).build());
private static final Splitter SECURITY_STANDARDS_SPLITTER = Splitter.on(',').trimResults().omitEmptyStrings();
}
public static List<String> getSonarSourceSecurityCategories(Collection<String> cwe) {
- return SONARSOURCE_CWE_MAPPING
+ List<String> result = SONARSOURCE_CWE_MAPPING
.keySet()
.stream()
.filter(k -> cwe.stream().anyMatch(SONARSOURCE_CWE_MAPPING.get(k)::contains))
.collect(toList());
+ return result.isEmpty() ? singletonList(SONARSOURCE_OTHER_CWES_CATEGORY) : result;
}
public static List<String> getOwaspTop10(Collection<String> securityStandards) {
- List<String> result = securityStandards.stream()
+ return securityStandards.stream()
.filter(s -> s.startsWith(OWASP_TOP10_PREFIX))
.map(s -> s.substring(OWASP_TOP10_PREFIX.length()))
.collect(toList());
- return result.isEmpty() ? singletonList(UNKNOWN_STANDARD) : result;
}
public static List<String> getCwe(Collection<String> securityStandards) {
import static org.sonar.server.issue.IssueDocTesting.newDoc;
import static org.sonar.server.issue.index.IssueIndexDefinition.TYPE_ISSUE;
import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_POROUS_DEFENSES;
+import static org.sonar.server.security.SecurityStandardHelper.SONARSOURCE_OTHER_CWES_CATEGORY;
import static org.sonar.server.security.SecurityStandardHelper.UNKNOWN_STANDARD;
import static org.sonar.server.permission.index.IndexAuthorizationConstants.TYPE_AUTHORIZATION;
// functional date
assertThat(doc.updateDate()).isEqualToIgnoringMillis(new Date(issue.getIssueUpdateTime()));
assertThat(doc.getCwe()).containsExactlyInAnyOrder(UNKNOWN_STANDARD);
- assertThat(doc.getOwaspTop10()).containsExactlyInAnyOrder(UNKNOWN_STANDARD);
+ assertThat(doc.getOwaspTop10()).isEmpty();
assertThat(doc.getSansTop25()).isEmpty();
+ assertThat(doc.getSonarSourceSecurityCategories()).containsExactlyInAnyOrder(SONARSOURCE_OTHER_CWES_CATEGORY);
}
@Test
import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_POROUS_DEFENSES;
import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_RISKY_RESOURCE;
import static org.sonar.server.security.SecurityStandardHelper.SONARSOURCE_CWE_MAPPING;
-import static org.sonar.server.security.SecurityStandardHelper.UNKNOWN_STANDARD;
+import static org.sonar.server.security.SecurityStandardHelper.SONARSOURCE_OTHER_CWES_CATEGORY;
import static org.sonar.server.view.index.ViewIndexDefinition.TYPE_VIEW;
import static org.sonarqube.ws.client.issue.IssuesWsParameters.DEPRECATED_PARAM_AUTHORS;
import static org.sonarqube.ws.client.issue.IssuesWsParameters.FACET_MODE_EFFORT;
public List<SecurityStandardCategoryStatistics> getSonarSourceReport(String projectUuid, boolean isViewOrApp, boolean includeCwe) {
SearchRequestBuilder request = prepareNonClosedVulnerabilitiesAndHotspotSearch(projectUuid, isViewOrApp);
- SONARSOURCE_CWE_MAPPING.keySet()
- .forEach(
- sonarsourceCategory -> request.addAggregation(createAggregation(FIELD_ISSUE_SONARSOURCE_SECURITY, sonarsourceCategory, includeCwe, Optional.of(SONARSOURCE_CWE_MAPPING))));
+ Stream.concat(SONARSOURCE_CWE_MAPPING.keySet().stream(), Stream.of(SONARSOURCE_OTHER_CWES_CATEGORY))
+ .forEach(sonarsourceCategory -> request.addAggregation(
+ createAggregation(FIELD_ISSUE_SONARSOURCE_SECURITY, sonarsourceCategory, includeCwe, Optional.of(SONARSOURCE_CWE_MAPPING))));
return processSecurityReportSearchResults(request, includeCwe);
}
public List<SecurityStandardCategoryStatistics> getOwaspTop10Report(String projectUuid, boolean isViewOrApp, boolean includeCwe) {
SearchRequestBuilder request = prepareNonClosedVulnerabilitiesAndHotspotSearch(projectUuid, isViewOrApp);
- Stream.concat(IntStream.rangeClosed(1, 10).mapToObj(i -> "a" + i), Stream.of(UNKNOWN_STANDARD))
+ IntStream.rangeClosed(1, 10).mapToObj(i -> "a" + i)
.forEach(owaspCategory -> request.addAggregation(createAggregation(FIELD_ISSUE_OWASP_TOP_10, owaspCategory, includeCwe, Optional.empty())));
return processSecurityReportSearchResults(request, includeCwe);
}
import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_POROUS_DEFENSES;
import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_RISKY_RESOURCE;
import static org.sonar.server.security.SecurityStandardHelper.SONARSOURCE_CWE_MAPPING;
+import static org.sonar.server.security.SecurityStandardHelper.SONARSOURCE_OTHER_CWES_CATEGORY;
import static org.sonar.server.security.SecurityStandardHelper.UNKNOWN_STANDARD;
import static org.sonar.server.ws.KeyExamples.KEY_BRANCH_EXAMPLE_001;
import static org.sonar.server.ws.KeyExamples.KEY_PROJECT_EXAMPLE_001;
.setPossibleValues((Object[]) RuleType.values())
.setExampleValue(format("%s,%s", RuleType.CODE_SMELL, RuleType.BUG));
action.createParam(PARAM_OWASP_TOP_10)
- .setDescription("Comma-separated list of OWASP Top 10 lowercase categories. Use '" + UNKNOWN_STANDARD + "' to select issues not associated to any OWASP Top 10 category.")
+ .setDescription("Comma-separated list of OWASP Top 10 lowercase categories.")
.setSince("7.3")
- .setPossibleValues("a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9", "a10", UNKNOWN_STANDARD);
+ .setPossibleValues("a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9", "a10");
action.createParam(PARAM_SANS_TOP_25)
.setDescription("Comma-separated list of SANS Top 25 categories.")
.setSince("7.3")
.setDescription("Comma-separated list of CWE identifiers. Use '" + UNKNOWN_STANDARD + "' to select issues not associated to any CWE.")
.setExampleValue("12,125," + UNKNOWN_STANDARD);
action.createParam(PARAM_SONARSOURCE_SECURITY)
- .setDescription("Comma-separated list of SonarSource security categories.")
+ .setDescription("Comma-separated list of SonarSource security categories. Use '" + SONARSOURCE_OTHER_CWES_CATEGORY + "' to select issues not associated" +
+ " with any category")
.setSince("7.8")
- .setPossibleValues(SONARSOURCE_CWE_MAPPING.keySet());
+ .setPossibleValues(ImmutableList.builder().addAll(SONARSOURCE_CWE_MAPPING.keySet()).add(SONARSOURCE_OTHER_CWES_CATEGORY).build());
action.createParam(DEPRECATED_PARAM_AUTHORS)
.setDeprecatedSince("7.7")
.setDescription("This parameter is deprecated, please use '%s' instead", PARAM_AUTHOR)
*/
package org.sonar.server.rule.ws;
+import com.google.common.collect.ImmutableList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import org.sonar.db.organization.OrganizationDto;
import org.sonar.db.rule.RuleDto;
import org.sonar.db.user.UserDto;
-import org.sonar.server.security.SecurityStandardHelper;
import org.sonar.server.organization.DefaultOrganizationProvider;
import org.sonar.server.qualityprofile.ActiveRuleInheritance;
import org.sonar.server.rule.index.RuleIndexDefinition;
import static org.sonar.core.util.stream.MoreCollectors.uniqueIndex;
import static org.sonar.db.organization.OrganizationDto.Subscription.PAID;
import static org.sonar.db.permission.OrganizationPermission.ADMINISTER_QUALITY_PROFILES;
-import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_CWE_MAPPING;
-import static org.sonar.server.security.SecurityStandardHelper.UNKNOWN_STANDARD;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_ACTIVATION;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_ACTIVE_SEVERITIES;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_AVAILABLE_SINCE;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_TAGS;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_TEMPLATE_KEY;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_TYPES;
+import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_CWE_MAPPING;
+import static org.sonar.server.security.SecurityStandardHelper.SONARSOURCE_CWE_MAPPING;
+import static org.sonar.server.security.SecurityStandardHelper.SONARSOURCE_OTHER_CWES_CATEGORY;
+import static org.sonar.server.security.SecurityStandardHelper.UNKNOWN_STANDARD;
import static org.sonar.server.ws.WsUtils.checkFoundWithOptional;
@ServerSide
.setExampleValue("12,125," + UNKNOWN_STANDARD);
action.createParam(PARAM_OWASP_TOP_10)
- .setDescription("Comma-separated list of OWASP Top 10 lowercase categories. Use '" + UNKNOWN_STANDARD + "' to select rules not associated to any OWASP " +
- "Top 10 category.")
+ .setDescription("Comma-separated list of OWASP Top 10 lowercase categories.")
.setSince("7.3")
- .setPossibleValues("a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9", "a10", UNKNOWN_STANDARD);
+ .setPossibleValues("a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9", "a10");
action.createParam(PARAM_SANS_TOP_25)
.setDescription("Comma-separated list of SANS Top 25 categories.")
action
.createParam(PARAM_SONARSOURCE_SECURITY)
- .setDescription("Comma-separated list of SonarSource report categories.")
- .setPossibleValues(SecurityStandardHelper.SONARSOURCE_CWE_MAPPING.keySet())
- .setExampleValue("sql-injection,command-injection");
+ .setDescription("Comma-separated list of SonarSource security categories. Use '" + SONARSOURCE_OTHER_CWES_CATEGORY + "' to select rules not associated" +
+ " with any category")
+ .setSince("7.8")
+ .setPossibleValues(ImmutableList.builder().addAll(SONARSOURCE_CWE_MAPPING.keySet()).add(SONARSOURCE_OTHER_CWES_CATEGORY).build())
+ .setExampleValue("sql-injection,command-injection,others");
action
.createParam(PARAM_LANGUAGES)
tuple("a7", 0L, OptionalInt.empty(), 0L, 0L, 0L),
tuple("a8", 0L, OptionalInt.empty(), 0L, 0L, 1L /* reviewedHotspot */),
tuple("a9", 0L, OptionalInt.empty(), 0L, 0L, 0L),
- tuple("a10", 0L, OptionalInt.empty(), 0L, 0L, 0L),
- tuple("unknown", 1L /* notowaspvul */, OptionalInt.of(4) /* CRITICAL = D */, 1L /* notowasphotspot */, 0L, 0L));
+ tuple("a10", 0L, OptionalInt.empty(), 0L, 0L, 0L));
return owaspTop10Report;
}
+++ /dev/null
-{
- "categories": [
- {
- "category": "a1",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 1,
- "totalRules": 1
- },
- {
- "category": "a2",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 1,
- "totalRules": 1
- },
- {
- "category": "a3",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 1
- },
- {
- "category": "a4",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "a5",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "a6",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "a7",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "a8",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "a9",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "a10",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "unknown",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 1,
- "totalRules": 2
- }
- ]
-}
+++ /dev/null
-{
- "categories": [
- {
- "category": "a1",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 1,
- "totalRules": 1
- },
- {
- "category": "a2",
- "vulnerabilities": 1,
- "vulnerabilityRating": 3,
- "inReviewSecurityHotspots": 1,
- "toReviewSecurityHotspots": 1,
- "reviewedSecurityHotspots": 1,
- "distribution": [],
- "activeRules": 1,
- "totalRules": 1
- },
- {
- "category": "a3",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 1
- },
- {
- "category": "a4",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "a5",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "a6",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "a7",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "a8",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "a9",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "a10",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "unknown",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 1,
- "totalRules": 2
- }
- ]
-}
+++ /dev/null
-{
- "categories": [
- {
- "category": "porous-defenses",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 1
- },
- {
- "category": "risky-resource",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 1,
- "totalRules": 1
- },
- {
- "category": "insecure-interaction",
- "vulnerabilities": 1,
- "vulnerabilityRating": 3,
- "inReviewSecurityHotspots": 1,
- "toReviewSecurityHotspots": 1,
- "reviewedSecurityHotspots": 0,
- "distribution": [
- {
- "cwe": "89",
- "vulnerabilities": 1,
- "vulnerabilityRating": 3,
- "inReviewSecurityHotspots": 1,
- "toReviewSecurityHotspots": 1,
- "reviewedSecurityHotspots": 0,
- "activeRules": 1,
- "totalRules": 1
- }
- ],
- "activeRules": 2,
- "totalRules": 2
- }
- ]
-}
+++ /dev/null
-{
- "categories": [
- {
- "category": "ldap-injection",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "object-injection",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "ssrf",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "insecure-conf",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "xxe",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "auth",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "xpath-injection",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "weak-cryptography",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "dos",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "open-redirect",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "log-injection",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "csrf",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "sql-injection",
- "vulnerabilities": 1,
- "vulnerabilityRating": 3,
- "inReviewSecurityHotspots": 1,
- "toReviewSecurityHotspots": 1,
- "reviewedSecurityHotspots": 1,
- "distribution": [],
- "activeRules": 1,
- "totalRules": 1
- },
- {
- "category": "file-manipulation",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "expression-lang-injection",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "rce",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "xss",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "path-traversal-injection",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 1,
- "totalRules": 1
- },
- {
- "category": "command-injection",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 1,
- "totalRules": 1
- },
- {
- "category": "http-response-splitting",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- }
- ]
-}
+++ /dev/null
-{
- "categories": [
- {
- "category": "ldap-injection",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": []
- },
- {
- "category": "object-injection",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": []
- },
- {
- "category": "ssrf",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": []
- },
- {
- "category": "insecure-conf",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": []
- },
- {
- "category": "xxe",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": []
- },
- {
- "category": "auth",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": []
- },
- {
- "category": "xpath-injection",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": []
- },
- {
- "category": "weak-cryptography",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": []
- },
- {
- "category": "dos",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": []
- },
- {
- "category": "open-redirect",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": []
- },
- {
- "category": "log-injection",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": []
- },
- {
- "category": "csrf",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": []
- },
- {
- "category": "sql-injection",
- "vulnerabilities": 1,
- "vulnerabilityRating": 3,
- "inReviewSecurityHotspots": 1,
- "toReviewSecurityHotspots": 1,
- "reviewedSecurityHotspots": 1,
- "distribution": [
- {
- "cwe": "89",
- "vulnerabilities": 1,
- "vulnerabilityRating": 3,
- "inReviewSecurityHotspots": 1,
- "toReviewSecurityHotspots": 1,
- "reviewedSecurityHotspots": 1
- }
- ]
- },
- {
- "category": "file-manipulation",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": []
- },
- {
- "category": "expression-lang-injection",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": []
- },
- {
- "category": "rce",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": []
- },
- {
- "category": "xss",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": []
- },
- {
- "category": "path-traversal-injection",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": []
- },
- {
- "category": "command-injection",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": []
- },
- {
- "category": "http-response-splitting",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": []
- }
- ]
-}
+++ /dev/null
-{
- "categories": [
- {
- "category": "ldap-injection",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "object-injection",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "ssrf",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "insecure-conf",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "xxe",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "auth",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "xpath-injection",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "weak-cryptography",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "dos",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "open-redirect",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "log-injection",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "csrf",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "sql-injection",
- "vulnerabilities": 1,
- "vulnerabilityRating": 3,
- "inReviewSecurityHotspots": 1,
- "toReviewSecurityHotspots": 1,
- "reviewedSecurityHotspots": 1,
- "distribution": [
- {
- "cwe": "89",
- "vulnerabilities": 1,
- "vulnerabilityRating": 3,
- "inReviewSecurityHotspots": 1,
- "toReviewSecurityHotspots": 1,
- "reviewedSecurityHotspots": 1,
- "activeRules": 1,
- "totalRules": 1
- }
- ],
- "activeRules": 1,
- "totalRules": 1
- },
- {
- "category": "file-manipulation",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "expression-lang-injection",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "rce",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "xss",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- },
- {
- "category": "path-traversal-injection",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 1,
- "totalRules": 1
- },
- {
- "category": "command-injection",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 1,
- "totalRules": 1
- },
- {
- "category": "http-response-splitting",
- "vulnerabilities": 0,
- "inReviewSecurityHotspots": 0,
- "toReviewSecurityHotspots": 0,
- "reviewedSecurityHotspots": 0,
- "distribution": [],
- "activeRules": 0,
- "totalRules": 0
- }
- ]
-}
it('should display correct selection', () => {
const wrapper = shallowRender({
open: true,
- owaspTop10: ['a1', 'a3', 'unknown'],
+ owaspTop10: ['a1', 'a3'],
sansTop25: ['risky-resource', 'foo'],
cwe: ['42', '1111', 'unknown'],
- sonarsourceSecurity: ['sql-injection']
+ sonarsourceSecurity: ['sql-injection', 'others']
});
checkValues('standards', [
'SONAR SQL Injection',
+ 'Others',
'OWASP A1 - a1 title',
'OWASP A3',
- 'Not OWAPS',
'SANS Risky Resource Management',
'SANS foo',
'CWE-42 - cwe-42 title',
'CWE-1111',
'Unknown CWE'
]);
- checkValues('owaspTop10', ['A1 - a1 title', 'A3', 'Not OWAPS']);
+ checkValues('owaspTop10', ['A1 - a1 title', 'A3']);
checkValues('sansTop25', ['Risky Resource Management', 'foo']);
- checkValues('sonarsourceSecurity', ['SQL Injection']);
+ checkValues('sonarsourceSecurity', ['SQL Injection', 'Others']);
function checkValues(property: string, values: string[]) {
expect(
);
wrapper.setState({
standards: {
- owaspTop10: { a1: { title: 'a1 title' }, unknown: { title: 'Not OWAPS' } },
+ owaspTop10: { a1: { title: 'a1 title' } },
sansTop25: { 'risky-resource': { title: 'Risky Resource Management' } },
cwe: { 42: { title: 'cwe-42 title' }, unknown: { title: 'Unknown CWE' } },
- sonarsourceSecurity: { 'sql-injection': { title: 'SQL Injection' } }
+ sonarsourceSecurity: {
+ 'sql-injection': { title: 'SQL Injection' },
+ others: { title: 'Others' }
+ }
}
});
return wrapper;
owaspTop10: {
a1: {
title: 'Injection'
- },
- unknown: {
- title: 'Not OWASP'
}
},
sansTop25: {},
expect(renderOwaspTop10Category(standards, 'a1', true)).toEqual('OWASP A1 - Injection');
expect(renderOwaspTop10Category(standards, 'a2')).toEqual('A2');
expect(renderOwaspTop10Category(standards, 'a2', true)).toEqual('OWASP A2');
- expect(renderOwaspTop10Category(standards, 'unknown')).toEqual('Not OWASP');
- expect(renderOwaspTop10Category(standards, 'unknown', true)).toEqual('Not OWASP');
});
});
expect(renderSonarSourceSecurityCategory(standards, 'xss', true)).toEqual(
'SONAR Cross-Site Scripting (XSS)'
);
- expect(renderSonarSourceSecurityCategory(standards, 'unknown')).toEqual('unknown');
- expect(renderSonarSourceSecurityCategory(standards, 'unknown', true)).toEqual('SONAR unknown');
expect(renderSonarSourceSecurityCategory(standards, 'others')).toEqual('Others');
expect(renderSonarSourceSecurityCategory(standards, 'others', true)).toEqual('Others');
});
const record = standards.owaspTop10[category];
if (!record) {
return addPrefix(category.toUpperCase(), 'OWASP', withPrefix);
- } else if (category === 'unknown') {
- return record.title;
} else {
return addPrefix(`${category.toUpperCase()} - ${record.title}`, 'OWASP', withPrefix);
}
withPrefix = false
): string {
const record = standards.sonarsourceSecurity[category];
- if (category === 'others') {
+ if (!record) {
+ return addPrefix(category.toUpperCase(), 'SONAR', withPrefix);
+ } else if (category === 'others') {
return record.title;
} else {
- return addPrefix(record ? record.title : category, 'SONAR', withPrefix);
+ return addPrefix(record.title, 'SONAR', withPrefix);
}
}
"title": "Insufficient Logging & Monitoring",
"description":
"Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring."
- },
- "unknown": {
- "title": "Not OWASP"
}
},
"sansTop25": {
projects / sonarqube.git / commitdiff