SONAR-14442 add cweTop25 value param to 'api/security_report'

- map ES results to WS results

diff --git a/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java b/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java
index ab12ec4783ca4de3e3709333c881d18988273314..b07092243723383963bab0f4146873842335026b 100644 (file)
--- a/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java
+++ b/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java
@@ -64,6 +64,22 @@ public final class SecurityStandards {
     SANS_TOP_25_RISKY_RESOURCE, RISKY_CWE,
     SANS_TOP_25_POROUS_DEFENSES, POROUS_CWE);
 
+  // https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html
+  private static final Set<String> CWE_TOP25_2019 = new HashSet<>(
+    asList("119", "79", "20", "200", "125", "89", "416", "190", "352",
+      "22", "78", "787", "287", "476", "732", "434", "611", "94",
+      "798", "400", "772", "426", "502", "269", "295"));
+
+  // https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html
+  private static final Set<String> CWE_TOP25_2020 = new HashSet<>(
+    asList("79", "787", "20", "125", "119", "89", "200", "416", "352",
+      "78", "190", "22", "476", "287", "434", "732", "94", "522",
+      "611", "798", "502", "269", "400", "306", "862"));
+
+  public static final Map<String, Set<String>> CWES_BY_CWE_TOP_25 = ImmutableMap.of(
+    "2019", CWE_TOP25_2019,
+    "2020", CWE_TOP25_2020);
+
   public enum VulnerabilityProbability {
     HIGH(3),
     MEDIUM(2),
@@ -187,6 +203,10 @@ public final class SecurityStandards {
     return toSansTop25(cwe);
   }
 
+  public Set<String> getCweTop25() {
+    return toCweTop25(cwe);
+  }
+
   public SQCategory getSqCategory() {
     return sqCategory;
   }
@@ -225,6 +245,14 @@ public final class SecurityStandards {
     return result.isEmpty() ? singleton(UNKNOWN_STANDARD) : result;
   }
 
+  private static Set<String> toCweTop25(Set<String> cwe) {
+    return CWES_BY_CWE_TOP_25
+      .keySet()
+      .stream()
+      .filter(k -> cwe.stream().anyMatch(CWES_BY_CWE_TOP_25.get(k)::contains))
+      .collect(toSet());
+  }
+
   private static Set<String> toSansTop25(Collection<String> cwe) {
     return CWES_BY_SANS_TOP_25
       .keySet()

diff --git a/server/sonar-server-common/src/test/java/org/sonar/server/security/SecurityStandardsTest.java b/server/sonar-server-common/src/test/java/org/sonar/server/security/SecurityStandardsTest.java
index afd7ec08f06a4af2ea69dadf47bbc4061f92f59a..7a9566412fb410d2e3ee69fd936110b77d724a31 100644 (file)
--- a/server/sonar-server-common/src/test/java/org/sonar/server/security/SecurityStandardsTest.java
+++ b/server/sonar-server-common/src/test/java/org/sonar/server/security/SecurityStandardsTest.java
@@ -67,6 +67,14 @@ public class SecurityStandardsTest {
     assertThat(securityStandards.getSansTop25()).isEmpty();
   }
 
+  @Test
+  public void fromSecurityStandards_from_empty_set_has_no_CweTop25_standard() {
+    SecurityStandards securityStandards = fromSecurityStandards(emptySet());
+
+    assertThat(securityStandards.getStandards()).isEmpty();
+    assertThat(securityStandards.getCweTop25()).isEmpty();
+  }
+
   @Test
   public void fromSecurityStandards_finds_SQCategory_from_any_if_the_mapped_CWE_standard() {
     CWES_BY_SQ_CATEGORY.forEach((sqCategory, cwes) -> {

diff --git a/server/sonar-webserver-es/src/main/java/org/sonar/server/issue/index/IssueIndex.java b/server/sonar-webserver-es/src/main/java/org/sonar/server/issue/index/IssueIndex.java
index 6ffa2356051c75ddf06dbb371596b97905fe5a51..db6acdf59459aefbc0b0312e7a14314910ef49ed 100644 (file)
--- a/server/sonar-webserver-es/src/main/java/org/sonar/server/issue/index/IssueIndex.java
+++ b/server/sonar-webserver-es/src/main/java/org/sonar/server/issue/index/IssueIndex.java
@@ -1016,6 +1016,17 @@ public class IssueIndex {
     return processSecurityReportSearchResults(request, includeCwe);
   }
 
+  public List<SecurityStandardCategoryStatistics> getCweTop25Reports(String uuid, boolean isViewOrApp) {
+    // TODO:: Mock data - SONAR-14447 elasticsearch query
+    return Arrays.asList(
+      new SecurityStandardCategoryStatistics("2019", 1, OptionalInt.empty(), 10, 5, 10,
+        SecurityStandards.CWES_BY_CWE_TOP_25.get("2019").stream().map(cwe -> new SecurityStandardCategoryStatistics(cwe, 1, OptionalInt.empty(), 1, 3, 2, null))
+          .collect(toList())),
+      new SecurityStandardCategoryStatistics("2020", 0, OptionalInt.empty(), 9, 5, 10,
+        SecurityStandards.CWES_BY_CWE_TOP_25.get("2020").stream().map(cwe -> new SecurityStandardCategoryStatistics(cwe, 1, OptionalInt.empty(), 1, 3, 4, null))
+          .collect(toList())));
+  }
+
   public List<SecurityStandardCategoryStatistics> getSonarSourceReport(String projectUuid, boolean isViewOrApp, boolean includeCwe) {
     SearchSourceBuilder request = prepareNonClosedVulnerabilitiesAndHotspotSearch(projectUuid, isViewOrApp);
     Arrays.stream(SQCategory.values())

diff --git a/sonar-ws/src/main/java/org/sonarqube/ws/client/issue/IssuesWsParameters.java b/sonar-ws/src/main/java/org/sonarqube/ws/client/issue/IssuesWsParameters.java
index 9e5e4bfa76a2869e1c19536c5568a6d10e35f12e..39da2370148b760c9f0571aec717d829d528feb5 100644 (file)
--- a/sonar-ws/src/main/java/org/sonarqube/ws/client/issue/IssuesWsParameters.java
+++ b/sonar-ws/src/main/java/org/sonarqube/ws/client/issue/IssuesWsParameters.java
@@ -85,6 +85,7 @@ public class IssuesWsParameters {
   public static final String PARAM_TYPES = "types";
   public static final String PARAM_OWASP_TOP_10 = "owaspTop10";
   public static final String PARAM_SANS_TOP_25 = "sansTop25";
+  public static final String PARAM_CWE_TOP_25 = "cweTop25";
   public static final String PARAM_SONARSOURCE_SECURITY = "sonarsourceSecurity";
   public static final String PARAM_CWE = "cwe";
   public static final String PARAM_ASSIGNED = "assigned";