]> source.dussan.org Git - sonarqube.git/commitdiff
projects / sonarqube.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ebb0805)
SONAR-22543 Add CASA security report
authorLéo Geoffroy <leo.geoffroy@sonarsource.com>
Wed, 24 Jul 2024 14:35:54 +0000 (16:35 +0200)
committersonartech <sonartech@sonarsource.com>
Fri, 26 Jul 2024 20:02:47 +0000 (20:02 +0000)
plugins/sonar-xoo-plugin/src/main/java/org/sonar/xoo/rule/XooRulesDefinition.java patch | blob | history
server/sonar-server-common/src/main/java/org/sonar/server/issue/index/IssueIndexDefinition.java patch | blob | history
server/sonar-server-common/src/test/java/org/sonar/server/issue/SearchRequestTest.java patch | blob | history
server/sonar-webserver-es/src/main/java/org/sonar/server/issue/index/IssueIndex.java patch | blob | history
server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java patch | blob | history

diff --git a/plugins/sonar-xoo-plugin/src/main/java/org/sonar/xoo/rule/XooRulesDefinition.java b/plugins/sonar-xoo-plugin/src/main/java/org/sonar/xoo/rule/XooRulesDefinition.java
index c02e8f42e99aec9d77bb663921cb019757f25895..39265fcbdcdf9a5e00c5510b014aa8dbfc0727ea 100644 (file)
--- a/plugins/sonar-xoo-plugin/src/main/java/org/sonar/xoo/rule/XooRulesDefinition.java
+++ b/plugins/sonar-xoo-plugin/src/main/java/org/sonar/xoo/rule/XooRulesDefinition.java
@@ -366,6 +366,7 @@ public class XooRulesDefinition implements RulesDefinition {
         break;
       case "pciDss-4.0":
         rule.addPciDss(PciDssVersion.V4_0, splitStandard[1]);
+        break;
       default:
         throw new IllegalArgumentException("Unknown standard: " + standard);
     }
diff --git a/server/sonar-server-common/src/main/java/org/sonar/server/issue/index/IssueIndexDefinition.java b/server/sonar-server-common/src/main/java/org/sonar/server/issue/index/IssueIndexDefinition.java
index d13219e433e588a5e6c6dd95e00982aa0f1cb0ab..7a4484d233e6a1c2b522c16c95c39e8817ba303c 100644 (file)
--- a/server/sonar-server-common/src/main/java/org/sonar/server/issue/index/IssueIndexDefinition.java
+++ b/server/sonar-server-common/src/main/java/org/sonar/server/issue/index/IssueIndexDefinition.java
@@ -125,7 +125,7 @@ public class IssueIndexDefinition implements IndexDefinition {
 
   private IssueIndexDefinition(Configuration config, boolean enableSource) {
     this.config = config;
-    this.enableSource = true;
+    this.enableSource = enableSource;
   }
 
   /**
diff --git a/server/sonar-server-common/src/test/java/org/sonar/server/issue/SearchRequestTest.java b/server/sonar-server-common/src/test/java/org/sonar/server/issue/SearchRequestTest.java
index fa0c0e485f7b3138de2e984d1920628ab4e05771..e863b3059f5bf6f3027deda5b33b6793a504f0b3 100644 (file)
--- a/server/sonar-server-common/src/test/java/org/sonar/server/issue/SearchRequestTest.java
+++ b/server/sonar-server-common/src/test/java/org/sonar/server/issue/SearchRequestTest.java
@@ -82,19 +82,19 @@ public class SearchRequestTest {
     assertThat(underTest.getSort()).isEqualTo("CREATION_DATE");
     assertThat(underTest.getAsc()).isTrue();
     assertThat(underTest.getInNewCodePeriod()).isTrue();
-    assertOwasp(underTest);
-    assertThat(underTest.getStigAsdV5R3()).containsExactly("V-222400", "V-222401");
-    assertThat(underTest.getStigAsdV5R3()).containsExactly("V-222400", "V-222401");
-    assertThat(underTest.getPciDss32()).containsExactly("1", "4");
-    assertThat(underTest.getPciDss40()).containsExactly("3", "5");
+    assertSecurityStandards(underTest);
     assertThat(underTest.getCodeVariants()).containsExactly("variant1", "variant2");
     assertCleanCodeInformation(underTest);
   }
 
-  private static void assertOwasp(SearchRequest underTest) {
+  private static void assertSecurityStandards(SearchRequest underTest) {
     assertThat(underTest.getOwaspTop10For2021()).containsExactly("a2", "a3");
     assertThat(underTest.getOwaspAsvs40()).containsExactly("1.1.1", "4.2.2");
     assertThat(underTest.getOwaspAsvsLevel()).isEqualTo(2);
+    assertThat(underTest.getStigAsdV5R3()).containsExactly("V-222400", "V-222401");
+    assertThat(underTest.getCasa()).containsExactly("1.4.1", "6.4.2");
+    assertThat(underTest.getPciDss32()).containsExactly("1", "4");
+    assertThat(underTest.getPciDss40()).containsExactly("3", "5");
   }
 
   private static void assertCleanCodeInformation(SearchRequest underTest) {
diff --git a/server/sonar-webserver-es/src/main/java/org/sonar/server/issue/index/IssueIndex.java b/server/sonar-webserver-es/src/main/java/org/sonar/server/issue/index/IssueIndex.java
index 8ce28b2d23723fbb2a61f5eb7bc358929853eed9..6b0d2b1b10ae416ba434bcb11b745cec16f66a10 100644 (file)
--- a/server/sonar-webserver-es/src/main/java/org/sonar/server/issue/index/IssueIndex.java
+++ b/server/sonar-webserver-es/src/main/java/org/sonar/server/issue/index/IssueIndex.java
@@ -1329,7 +1329,7 @@ public class IssueIndex {
     return search(request, includeCwe, version.label());
   }
 
-  public List<SecurityStandardCategoryStatistics> getStig(String projectUuid, boolean isViewOrApp, RulesDefinition.StigVersion stigVersion) {
+  public List<SecurityStandardCategoryStatistics> getStigReport(String projectUuid, boolean isViewOrApp, RulesDefinition.StigVersion stigVersion) {
     SearchSourceBuilder request = prepareNonClosedVulnerabilitiesAndHotspotSearch(projectUuid, isViewOrApp);
     Arrays.stream(StigSupportedRequirement.values())
       .forEach(stigSupportedRequirement -> request.aggregation(
@@ -1339,6 +1339,15 @@ public class IssueIndex {
     return search(request, false, stigVersion.label());
   }
 
+  public List<SecurityStandardCategoryStatistics> getCasaReport(String projectUuid, boolean isViewOrApp) {
+    SearchSourceBuilder request = prepareNonClosedVulnerabilitiesAndHotspotSearch(projectUuid, isViewOrApp);
+    IntStream.range(1, 15)
+      .forEach(casaTopCategory -> request.aggregation(
+        newSecurityReportSubAggregations(
+          AggregationBuilders.filter(String.valueOf(casaTopCategory), boolQuery().filter(prefixQuery(FIELD_ISSUE_CASA, casaTopCategory + "."))), FIELD_ISSUE_CASA)));
+    return searchWithDistribution(request, null, null);
+  }
+
   private List<SecurityStandardCategoryStatistics> searchWithLevelDistribution(SearchSourceBuilder sourceBuilder, String version, @Nullable String level) {
     return getSearchResponse(sourceBuilder)
       .getAggregations().asList().stream()
@@ -1346,7 +1355,7 @@ public class IssueIndex {
       .toList();
   }
 
-  private List<SecurityStandardCategoryStatistics> searchWithDistribution(SearchSourceBuilder sourceBuilder, String version, @Nullable Integer level) {
+  private List<SecurityStandardCategoryStatistics> searchWithDistribution(SearchSourceBuilder sourceBuilder, @Nullable String version, @Nullable Integer level) {
     return getSearchResponse(sourceBuilder)
       .getAggregations().asList().stream()
       .map(c -> processSecurityReportIssueSearchResultsWithDistribution((ParsedFilter) c, version, level))
@@ -1366,7 +1375,8 @@ public class IssueIndex {
     return client.search(request);
   }
 
-  private static SecurityStandardCategoryStatistics processSecurityReportIssueSearchResultsWithDistribution(ParsedFilter categoryFilter, String version, @Nullable Integer level) {
+  private static SecurityStandardCategoryStatistics processSecurityReportIssueSearchResultsWithDistribution(ParsedFilter categoryFilter, @Nullable String version,
+    @Nullable Integer level) {
     var list = ((ParsedStringTerms) categoryFilter.getAggregations().get(AGG_DISTRIBUTION)).getBuckets();
     List<SecurityStandardCategoryStatistics> children = list.stream()
       .filter(categoryBucket -> StringUtils.startsWith(categoryBucket.getKeyAsString(), categoryFilter.getName() + "."))
diff --git a/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java b/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java
index 38b17ff5f3e650551badef237ab985f8e6ea87c6..3bdc73cf4d578b831670ba166f7605b7fe976d6a 100644 (file)
--- a/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java
+++ b/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java
@@ -41,14 +41,14 @@ import static java.util.stream.Collectors.toList;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.tuple;
 import static org.sonar.api.server.rule.RulesDefinition.OwaspAsvsVersion;
+import static org.sonar.api.server.rule.RulesDefinition.PciDssVersion;
 import static org.sonar.api.server.rule.RulesDefinition.OwaspTop10Version.Y2017;
 import static org.sonar.api.server.rule.RulesDefinition.OwaspTop10Version.Y2021;
-import static org.sonar.api.server.rule.RulesDefinition.PciDssVersion;
 import static org.sonar.db.component.ComponentTesting.newPrivateProjectDto;
 import static org.sonar.server.issue.IssueDocTesting.newDocForProject;
+import static org.sonar.server.security.SecurityStandards.UNKNOWN_STANDARD;
 import static org.sonar.server.security.SecurityStandards.StigSupportedRequirement.V222391;
 import static org.sonar.server.security.SecurityStandards.StigSupportedRequirement.V222397;
-import static org.sonar.server.security.SecurityStandards.UNKNOWN_STANDARD;
 
 class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
 
@@ -57,10 +57,12 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
     ComponentDto project = newPrivateProjectDto();
     ComponentDto another = newPrivateProjectDto();
 
-    IssueDoc openVulDoc = newDocForProject("openvul1", project).setOwaspTop10(singletonList("a1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.MAJOR);
+    IssueDoc openVulDoc = newDocForProject("openvul1", project).setOwaspTop10(singletonList("a1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN)
+      .setSeverity(Severity.MAJOR);
     openVulDoc.setOwaspTop10For2021(singletonList("a2")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.MAJOR);
 
-    IssueDoc otherProjectDoc = newDocForProject("anotherProject", another).setOwaspTop10(singletonList("a1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.CRITICAL);
+    IssueDoc otherProjectDoc = newDocForProject("anotherProject", another).setOwaspTop10(singletonList("a1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN)
+      .setSeverity(Severity.CRITICAL);
     otherProjectDoc.setOwaspTop10For2021(singletonList("a2")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.CRITICAL);
 
     indexIssues(openVulDoc, otherProjectDoc);
@@ -89,7 +91,8 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
       newDocForProject("openvul12021", project).setOwaspTop10For2021(List.of("a2")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.MAJOR),
       newDocForProject("notopenvul", project).setOwaspTop10(List.of("a1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_CLOSED).setResolution(Issue.RESOLUTION_FIXED)
         .setSeverity(Severity.BLOCKER),
-      newDocForProject("notopenvul2021", project).setOwaspTop10For2021(List.of("a2")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_CLOSED).setResolution(Issue.RESOLUTION_FIXED)
+      newDocForProject("notopenvul2021", project).setOwaspTop10For2021(List.of("a2")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_CLOSED)
+        .setResolution(Issue.RESOLUTION_FIXED)
         .setSeverity(Severity.BLOCKER));
 
     List<SecurityStandardCategoryStatistics> owaspTop10Report = underTest.getOwaspTop10Report(project.uuid(), false, false, Y2017);
@@ -249,15 +252,15 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
       .collect(Collectors.toMap(SecurityStandardCategoryStatistics::getCategory, SecurityStandardCategoryStatistics::getChildren));
 
     assertThat(cweByOwasp.get("a1")).extracting(SecurityStandardCategoryStatistics::getCategory, SecurityStandardCategoryStatistics::getVulnerabilities,
-        SecurityStandardCategoryStatistics::getVulnerabilityRating, SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
-        SecurityStandardCategoryStatistics::getReviewedSecurityHotspots, SecurityStandardCategoryStatistics::getSecurityReviewRating)
+      SecurityStandardCategoryStatistics::getVulnerabilityRating, SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
+      SecurityStandardCategoryStatistics::getReviewedSecurityHotspots, SecurityStandardCategoryStatistics::getSecurityReviewRating)
       .containsExactlyInAnyOrder(
         tuple("123", 1L /* openvul1 */, OptionalInt.of(3)/* MAJOR = C */, 0L, 0L, 1),
         tuple("456", 1L /* openvul1 */, OptionalInt.of(3)/* MAJOR = C */, 0L, 0L, 1),
         tuple("unknown", 0L, OptionalInt.empty(), 1L /* openhotspot1 */, 0L, 5));
     assertThat(cweByOwasp.get("a3")).extracting(SecurityStandardCategoryStatistics::getCategory, SecurityStandardCategoryStatistics::getVulnerabilities,
-        SecurityStandardCategoryStatistics::getVulnerabilityRating, SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
-        SecurityStandardCategoryStatistics::getReviewedSecurityHotspots, SecurityStandardCategoryStatistics::getSecurityReviewRating)
+      SecurityStandardCategoryStatistics::getVulnerabilityRating, SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
+      SecurityStandardCategoryStatistics::getReviewedSecurityHotspots, SecurityStandardCategoryStatistics::getSecurityReviewRating)
       .containsExactlyInAnyOrder(
         tuple("123", 2L /* openvul1, openvul2 */, OptionalInt.of(3)/* MAJOR = C */, 0L, 0L, 1),
         tuple("456", 1L /* openvul1 */, OptionalInt.of(3)/* MAJOR = C */, 0L, 0L, 1),
@@ -272,15 +275,15 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
       .collect(Collectors.toMap(SecurityStandardCategoryStatistics::getCategory, SecurityStandardCategoryStatistics::getChildren));
 
     assertThat(cweByOwasp.get("a1")).extracting(SecurityStandardCategoryStatistics::getCategory, SecurityStandardCategoryStatistics::getVulnerabilities,
-        SecurityStandardCategoryStatistics::getVulnerabilityRating, SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
-        SecurityStandardCategoryStatistics::getReviewedSecurityHotspots, SecurityStandardCategoryStatistics::getSecurityReviewRating)
+      SecurityStandardCategoryStatistics::getVulnerabilityRating, SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
+      SecurityStandardCategoryStatistics::getReviewedSecurityHotspots, SecurityStandardCategoryStatistics::getSecurityReviewRating)
       .containsExactlyInAnyOrder(
         tuple("123", 1L /* openvul1 */, OptionalInt.of(3)/* MAJOR = C */, 0L, 0L, 1),
         tuple("456", 1L /* openvul1 */, OptionalInt.of(3)/* MAJOR = C */, 0L, 0L, 1),
         tuple("unknown", 0L, OptionalInt.empty(), 1L /* openhotspot1 */, 0L, 5));
     assertThat(cweByOwasp.get("a3")).extracting(SecurityStandardCategoryStatistics::getCategory, SecurityStandardCategoryStatistics::getVulnerabilities,
-        SecurityStandardCategoryStatistics::getVulnerabilityRating, SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
-        SecurityStandardCategoryStatistics::getReviewedSecurityHotspots, SecurityStandardCategoryStatistics::getSecurityReviewRating)
+      SecurityStandardCategoryStatistics::getVulnerabilityRating, SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
+      SecurityStandardCategoryStatistics::getReviewedSecurityHotspots, SecurityStandardCategoryStatistics::getSecurityReviewRating)
       .containsExactlyInAnyOrder(
         tuple("123", 2L /* openvul1, openvul2 */, OptionalInt.of(3)/* MAJOR = C */, 0L, 0L, 1),
         tuple("456", 1L /* openvul1 */, OptionalInt.of(3)/* MAJOR = C */, 0L, 0L, 1),
@@ -294,7 +297,8 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
         .setSeverity(Severity.MAJOR),
       newDocForProject("openvul2", project).setOwaspTop10(asList("a3", "a6")).setCwe(List.of("123")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED)
         .setSeverity(Severity.MINOR),
-      newDocForProject("notowaspvul", project).setOwaspTop10(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.CRITICAL),
+      newDocForProject("notowaspvul", project).setOwaspTop10(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN)
+        .setSeverity(Severity.CRITICAL),
       newDocForProject("toreviewhotspot1", project).setOwaspTop10(asList("a1", "a3")).setCwe(singletonList(UNKNOWN_STANDARD)).setType(RuleType.SECURITY_HOTSPOT)
         .setStatus(Issue.STATUS_TO_REVIEW),
       newDocForProject("toreviewhotspot2", project).setOwaspTop10(asList("a3", "a6")).setType(RuleType.SECURITY_HOTSPOT).setStatus(Issue.STATUS_TO_REVIEW),
@@ -330,7 +334,8 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
         .setSeverity(Severity.MINOR),
       newDocForProject("openvul3", project).setPciDss32(asList("10.1.2", "6.5")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED)
         .setSeverity(Severity.MINOR),
-      newDocForProject("notpcidssvul", project).setPciDss32(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.CRITICAL),
+      newDocForProject("notpcidssvul", project).setPciDss32(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN)
+        .setSeverity(Severity.CRITICAL),
       newDocForProject("toreviewhotspot1", project).setPciDss32(asList("1.3.0", "3.3.2")).setType(RuleType.SECURITY_HOTSPOT)
         .setStatus(Issue.STATUS_TO_REVIEW),
       newDocForProject("toreviewhotspot2", project).setPciDss32(asList("3.5.6", "6.4.5")).setType(RuleType.SECURITY_HOTSPOT).setStatus(Issue.STATUS_TO_REVIEW),
@@ -427,7 +432,8 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
         .setSeverity(Severity.MINOR),
       newDocForProject("openvul3", project).setOwaspAsvs40(asList("10.2.4", "6.2.8")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED)
         .setSeverity(Severity.MINOR),
-      newDocForProject("notowaspasvsvul", project).setOwaspAsvs40(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.CRITICAL),
+      newDocForProject("notowaspasvsvul", project).setOwaspAsvs40(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN)
+        .setSeverity(Severity.CRITICAL),
       newDocForProject("toreviewhotspot1", project).setOwaspAsvs40(asList("2.2.5", "3.2.4")).setType(RuleType.SECURITY_HOTSPOT)
         .setStatus(Issue.STATUS_TO_REVIEW),
       newDocForProject("toreviewhotspot2", project).setOwaspAsvs40(asList("3.6.1", "7.1.1")).setType(RuleType.SECURITY_HOTSPOT).setStatus(Issue.STATUS_TO_REVIEW),
@@ -444,7 +450,8 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
         .setSeverity(Severity.MAJOR),
       newDocForProject("openvul2", project).setOwaspTop10For2021(asList("a3", "a6")).setCwe(List.of("123")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED)
         .setSeverity(Severity.MINOR),
-      newDocForProject("notowaspvul", project).setOwaspTop10For2021(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.CRITICAL),
+      newDocForProject("notowaspvul", project).setOwaspTop10For2021(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN)
+        .setSeverity(Severity.CRITICAL),
       newDocForProject("toreviewhotspot1", project).setOwaspTop10For2021(asList("a1", "a3")).setCwe(singletonList(UNKNOWN_STANDARD)).setType(RuleType.SECURITY_HOTSPOT)
         .setStatus(Issue.STATUS_TO_REVIEW),
       newDocForProject("toreviewhotspot2", project).setOwaspTop10For2021(asList("a3", "a6")).setType(RuleType.SECURITY_HOTSPOT).setStatus(Issue.STATUS_TO_REVIEW),
@@ -485,7 +492,8 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
         .setSeverity(Severity.MINOR),
       newDocForProject("openvul3", project1).setPciDss32(asList("10.1.2", "6.5")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED)
         .setSeverity(Severity.MINOR),
-      newDocForProject("notpcidssvul", project1).setPciDss32(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.CRITICAL),
+      newDocForProject("notpcidssvul", project1).setPciDss32(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN)
+        .setSeverity(Severity.CRITICAL),
       newDocForProject("toreviewhotspot1", project2).setPciDss32(asList("1.3.0", "3.3.2")).setType(RuleType.SECURITY_HOTSPOT)
         .setStatus(Issue.STATUS_TO_REVIEW),
       newDocForProject("toreviewhotspot2", project1).setPciDss32(asList("3.5.6", "6.4.5")).setType(RuleType.SECURITY_HOTSPOT).setStatus(Issue.STATUS_TO_REVIEW),
@@ -532,7 +540,8 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
         .setSeverity(Severity.MINOR),
       newDocForProject("openvul3", project1).setOwaspAsvs40(asList("10.3.2", "6.2.1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED)
         .setSeverity(Severity.MINOR),
-      newDocForProject("notowaspasvsvul", project1).setOwaspAsvs40(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.CRITICAL),
+      newDocForProject("notowaspasvsvul", project1).setOwaspAsvs40(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN)
+        .setSeverity(Severity.CRITICAL),
       newDocForProject("toreviewhotspot1", project2).setOwaspAsvs40(asList("2.1.3", "3.3.2")).setType(RuleType.SECURITY_HOTSPOT)
         .setStatus(Issue.STATUS_TO_REVIEW),
       newDocForProject("toreviewhotspot2", project1).setOwaspAsvs40(asList("3.4.4", "6.2.1")).setType(RuleType.SECURITY_HOTSPOT).setStatus(Issue.STATUS_TO_REVIEW),
@@ -692,7 +701,6 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
     assertThat(findRuleInCweByYear(cwe2021, "295")).isNull();
     assertThat(findRuleInCweByYear(cwe2021, "999")).isNull();
 
-
     SecurityStandardCategoryStatistics cwe2022 = cweTop25Reports.stream()
       .filter(s -> s.getCategory().equals("2022"))
       .findAny().get();
@@ -733,7 +741,7 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
   }
 
   @Test
-  void getStigAsdV5R3_whenRequestingReportOnApplication_ShouldAggregateBasedOnStigRequirement() {
+  void getStigAsdV5R3_whenRequestingReportOnApplication_ShouldAggregateBasedOnStigReportRequirement() {
     ComponentDto application = db.components().insertPrivateApplication().getMainBranchComponent();
     ComponentDto project1 = db.components().insertPrivateProject().getMainBranchComponent();
     ComponentDto project2 = db.components().insertPrivateProject().getMainBranchComponent();
@@ -751,7 +759,7 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
 
     indexView(application.uuid(), asList(project1.uuid(), project2.uuid()));
 
-    Map<String, SecurityStandardCategoryStatistics> statisticsToMap = underTest.getStig(application.uuid(), true, StigVersion.ASD_V5R3)
+    Map<String, SecurityStandardCategoryStatistics> statisticsToMap = underTest.getStigReport(application.uuid(), true, StigVersion.ASD_V5R3)
       .stream().collect(Collectors.toMap(SecurityStandardCategoryStatistics::getCategory, e -> e));
 
     assertThat(statisticsToMap).hasSize(41)
@@ -783,7 +791,7 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
       newDocForProject("reviewedHostpot", branch).setStigAsdV5R3(List.of(V222397.getRequirement())).setType(RuleType.SECURITY_HOTSPOT)
         .setStatus(Issue.STATUS_REVIEWED).setResolution(Issue.RESOLUTION_FIXED));
 
-    Map<String, SecurityStandardCategoryStatistics> statisticsToMap = underTest.getStig(branch.uuid(), false, StigVersion.ASD_V5R3)
+    Map<String, SecurityStandardCategoryStatistics> statisticsToMap = underTest.getStigReport(branch.uuid(), false, StigVersion.ASD_V5R3)
       .stream().collect(Collectors.toMap(SecurityStandardCategoryStatistics::getCategory, e -> e));
 
     assertThat(statisticsToMap).hasSize(41)
@@ -801,6 +809,90 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
       });
   }
 
+  @Test
+  void getCasa_whenRequestingReportOnProject_ShouldAggregateBasedOnCasaReportRequirement() {
+    ComponentDto branch = newPrivateProjectDto();
+    indexIssues(
+      newDocForProject("openvul", branch).setCasa(List.of("2.6.1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN)
+        .setSeverity(Severity.MAJOR),
+      newDocForProject("openvul2", branch).setCasa(List.of("2.6.1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN)
+        .setSeverity(Severity.MAJOR),
+      newDocForProject("notopenvul", branch).setCasa(List.of("2.6.1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_CLOSED)
+        .setResolution(Issue.RESOLUTION_FIXED)
+        .setSeverity(Severity.BLOCKER),
+      newDocForProject("toreviewhotspot", branch).setCasa(List.of("2.7.6")).setType(RuleType.SECURITY_HOTSPOT)
+        .setStatus(Issue.STATUS_TO_REVIEW),
+      newDocForProject("reviewedHostpot", branch).setCasa(List.of("2.7.6")).setType(RuleType.SECURITY_HOTSPOT)
+        .setStatus(Issue.STATUS_REVIEWED).setResolution(Issue.RESOLUTION_FIXED));
+
+    Map<String, SecurityStandardCategoryStatistics> statisticsToMap = toMap(underTest.getCasaReport(branch.uuid(), false));
+
+    assertThat(statisticsToMap).hasSize(14)
+      .hasEntrySatisfying("2", stat -> {
+        assertThat(stat.getVulnerabilities()).isEqualTo(2);
+        assertThat(stat.getToReviewSecurityHotspots()).isEqualTo(1);
+        assertThat(stat.getReviewedSecurityHotspots()).isEqualTo(1);
+        assertThat(stat.getVersion()).isEmpty();
+        assertThat(toMap(stat.getChildren()))
+          .hasSize(2)
+          .hasEntrySatisfying("2.6.1", cat -> {
+            assertThat(cat.getVulnerabilities()).isEqualTo(2);
+            assertThat(cat.getToReviewSecurityHotspots()).isZero();
+            assertThat(cat.getReviewedSecurityHotspots()).isZero();
+            assertThat(cat.getVulnerabilityRating()).as("MAJOR = C").isEqualTo(OptionalInt.of(3));
+          })
+          .hasEntrySatisfying("2.7.6", cat -> {
+            assertThat(cat.getVulnerabilities()).isZero();
+            assertThat(cat.getToReviewSecurityHotspots()).isEqualTo(1);
+            assertThat(cat.getReviewedSecurityHotspots()).isEqualTo(1);
+            assertThat(stat.getSecurityReviewRating()).as("50% of hotspots are reviewed, so rating is C").isEqualTo(3);
+          });
+      });
+  }
+
+  @Test
+  void getCasa_whenRequestingReportOnApplication_ShouldAggregateBasedOnCasaReportRequirement() {
+    ComponentDto application = db.components().insertPrivateApplication().getMainBranchComponent();
+    ComponentDto project1 = db.components().insertPrivateProject().getMainBranchComponent();
+    ComponentDto project2 = db.components().insertPrivateProject().getMainBranchComponent();
+
+    indexIssues(
+      newDocForProject("openvul1", project1).setCasa(List.of("2.6.1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN)
+        .setSeverity(Severity.MAJOR),
+      newDocForProject("openvul2", project2).setCasa(List.of("2.6.1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED)
+        .setSeverity(Severity.MINOR),
+      newDocForProject("toreviewhotspot", project1).setCasa(List.of("2.6.1")).setType(RuleType.SECURITY_HOTSPOT)
+        .setStatus(Issue.STATUS_TO_REVIEW),
+
+      newDocForProject("unknown", project2).setCasa(List.of("2.7.6")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED)
+        .setSeverity(Severity.MINOR));
+
+    indexView(application.uuid(), asList(project1.uuid(), project2.uuid()));
+
+    Map<String, SecurityStandardCategoryStatistics> statisticsToMap = underTest.getCasaReport(application.uuid(), true)
+      .stream().collect(Collectors.toMap(SecurityStandardCategoryStatistics::getCategory, e -> e));
+
+    assertThat(statisticsToMap).hasSize(14)
+      .hasEntrySatisfying("2", stat -> {
+        assertThat(toMap(stat.getChildren()))
+          .hasSize(2)
+          .hasEntrySatisfying("2.6.1", cat -> {
+            assertThat(cat.getVulnerabilities()).isEqualTo(2);
+            assertThat(cat.getToReviewSecurityHotspots()).isEqualTo(1);
+            assertThat(cat.getReviewedSecurityHotspots()).isZero();
+          })
+          .hasEntrySatisfying("2.7.6", cat -> {
+            assertThat(cat.getVulnerabilities()).isEqualTo(1);
+            assertThat(cat.getToReviewSecurityHotspots()).isZero();
+            assertThat(cat.getReviewedSecurityHotspots()).isZero();
+          });
+      });
+  }
+
+  private static Map<String, SecurityStandardCategoryStatistics> toMap(List<SecurityStandardCategoryStatistics> statistics) {
+    return statistics.stream().collect(Collectors.toMap(SecurityStandardCategoryStatistics::getCategory, e -> e));
+  }
+
   private SecurityStandardCategoryStatistics findRuleInCweByYear(SecurityStandardCategoryStatistics statistics, String cweId) {
     return statistics.getChildren().stream().filter(stat -> stat.getCategory().equals(cweId)).findAny().orElse(null);
   }
Continuous Inspection: https://github.com/SonarSource/sonarqube