SONAR-15345 add CWE top 25 for year 2021

diff --git a/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java b/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java
index a6473f10db67353277b00643d722035410c144ca..d895b0bc221b75ad7fabf1bab1d116483bb09a64 100644 (file)
--- a/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java
+++ b/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java
@@ -83,9 +83,16 @@ public final class SecurityStandards {
       "78", "190", "22", "476", "287", "434", "732", "94", "522",
       "611", "798", "502", "269", "400", "306", "862"));
 
-  public static final Map<String, List<String>> CWES_BY_CWE_TOP_25 = ImmutableMap.of(
+  // https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html
+  public static final List<String> CWE_TOP25_2021 =
+    Collections.unmodifiableList(asList("119", "79", "20", "200", "125", "89", "416", "190", "352",
+      "22", "78", "787", "287", "476", "732", "434", "611", "94",
+      "798", "400", "772", "426", "502", "269", "295"));
+
+  public static final Map<String, List<String>> CWES_BY_CWE_TOP_25 = Map.of(
     "2019", CWE_TOP25_2019,
-    "2020", CWE_TOP25_2020);
+    "2020", CWE_TOP25_2020,
+    "2021", CWE_TOP25_2021);
 
   public enum VulnerabilityProbability {
     HIGH(3),

diff --git a/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java b/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java
index 58b4448e9a7637c2a7668fdd6eb1562cdfac5142..e7c6c8dab8665cc474c173be43a77f8cf203faa3 100644 (file)
--- a/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java
+++ b/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java
@@ -313,7 +313,15 @@ public class IssueIndexSecurityReportsTest {
 
     List<SecurityStandardCategoryStatistics> cweTop25Reports = underTest.getCweTop25Reports(project.uuid(), false);
 
-    SecurityStandardCategoryStatistics cwe2019 = cweTop25Reports.get(0);
+    List<String> listOfYears = cweTop25Reports.stream()
+      .map(SecurityStandardCategoryStatistics::getCategory)
+      .collect(toList());
+
+    assertThat(listOfYears).contains("2019", "2020", "2021");
+
+    SecurityStandardCategoryStatistics cwe2019 = cweTop25Reports.stream()
+      .filter(s -> s.getCategory().equals("2019"))
+      .findAny().get();
     assertThat(cwe2019.getChildren()).hasSize(25);
     assertThat(findRuleInCweByYear(cwe2019, "119")).isNotNull()
       .extracting(SecurityStandardCategoryStatistics::getVulnerabilities,
@@ -328,7 +336,9 @@ public class IssueIndexSecurityReportsTest {
     assertThat(findRuleInCweByYear(cwe2019, "862")).isNull();
     assertThat(findRuleInCweByYear(cwe2019, "999")).isNull();
 
-    SecurityStandardCategoryStatistics cwe2020 = cweTop25Reports.get(1);
+    SecurityStandardCategoryStatistics cwe2020 = cweTop25Reports.stream()
+      .filter(s -> s.getCategory().equals("2020"))
+      .findAny().get();
     assertThat(cwe2020.getChildren()).hasSize(25);
     assertThat(findRuleInCweByYear(cwe2020, "119")).isNotNull()
       .extracting(SecurityStandardCategoryStatistics::getVulnerabilities,
@@ -346,6 +356,23 @@ public class IssueIndexSecurityReportsTest {
         SecurityStandardCategoryStatistics::getReviewedSecurityHotspots)
       .containsExactlyInAnyOrder(1L, 0L, 0L);
     assertThat(findRuleInCweByYear(cwe2020, "999")).isNull();
+
+    SecurityStandardCategoryStatistics cwe2021 = cweTop25Reports.stream()
+      .filter(s -> s.getCategory().equals("2021"))
+      .findAny().get();
+    assertThat(cwe2021.getChildren()).hasSize(25);
+    assertThat(findRuleInCweByYear(cwe2021, "119")).isNotNull()
+      .extracting(SecurityStandardCategoryStatistics::getVulnerabilities,
+        SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
+        SecurityStandardCategoryStatistics::getReviewedSecurityHotspots)
+      .containsExactlyInAnyOrder(1L, 0L, 0L);
+    assertThat(findRuleInCweByYear(cwe2021, "89")).isNotNull()
+      .extracting(SecurityStandardCategoryStatistics::getVulnerabilities,
+        SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
+        SecurityStandardCategoryStatistics::getReviewedSecurityHotspots)
+      .containsExactlyInAnyOrder(0L, 1L, 0L);
+    assertThat(findRuleInCweByYear(cwe2021, "862")).isNull();
+    assertThat(findRuleInCweByYear(cwe2021, "999")).isNull();
   }
 
   @Test
@@ -370,7 +397,15 @@ public class IssueIndexSecurityReportsTest {
 
     List<SecurityStandardCategoryStatistics> cweTop25Reports = underTest.getCweTop25Reports(application.uuid(), true);
 
-    SecurityStandardCategoryStatistics cwe2019 = cweTop25Reports.get(0);
+    List<String> listOfYears = cweTop25Reports.stream()
+      .map(SecurityStandardCategoryStatistics::getCategory)
+      .collect(toList());
+
+    assertThat(listOfYears).contains("2019", "2020", "2021");
+
+    SecurityStandardCategoryStatistics cwe2019 = cweTop25Reports.stream()
+      .filter(s -> s.getCategory().equals("2019"))
+      .findAny().get();
     assertThat(cwe2019.getChildren()).hasSize(25);
     assertThat(findRuleInCweByYear(cwe2019, "119")).isNotNull()
       .extracting(SecurityStandardCategoryStatistics::getVulnerabilities,
@@ -385,7 +420,9 @@ public class IssueIndexSecurityReportsTest {
     assertThat(findRuleInCweByYear(cwe2019, "862")).isNull();
     assertThat(findRuleInCweByYear(cwe2019, "999")).isNull();
 
-    SecurityStandardCategoryStatistics cwe2020 = cweTop25Reports.get(1);
+    SecurityStandardCategoryStatistics cwe2020 = cweTop25Reports.stream()
+      .filter(s -> s.getCategory().equals("2020"))
+      .findAny().get();
     assertThat(cwe2020.getChildren()).hasSize(25);
     assertThat(findRuleInCweByYear(cwe2020, "119")).isNotNull()
       .extracting(SecurityStandardCategoryStatistics::getVulnerabilities,
@@ -403,6 +440,23 @@ public class IssueIndexSecurityReportsTest {
         SecurityStandardCategoryStatistics::getReviewedSecurityHotspots)
       .containsExactlyInAnyOrder(1L, 0L, 0L);
     assertThat(findRuleInCweByYear(cwe2020, "999")).isNull();
+
+    SecurityStandardCategoryStatistics cwe2021 = cweTop25Reports.stream()
+      .filter(s -> s.getCategory().equals("2021"))
+      .findAny().get();
+    assertThat(cwe2021.getChildren()).hasSize(25);
+    assertThat(findRuleInCweByYear(cwe2021, "119")).isNotNull()
+      .extracting(SecurityStandardCategoryStatistics::getVulnerabilities,
+        SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
+        SecurityStandardCategoryStatistics::getReviewedSecurityHotspots)
+      .containsExactlyInAnyOrder(2L, 0L, 0L);
+    assertThat(findRuleInCweByYear(cwe2021, "89")).isNotNull()
+      .extracting(SecurityStandardCategoryStatistics::getVulnerabilities,
+        SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
+        SecurityStandardCategoryStatistics::getReviewedSecurityHotspots)
+      .containsExactlyInAnyOrder(0L, 1L, 0L);
+    assertThat(findRuleInCweByYear(cwe2021, "862")).isNull();
+    assertThat(findRuleInCweByYear(cwe2021, "999")).isNull();
   }
 
   private SecurityStandardCategoryStatistics findRuleInCweByYear(SecurityStandardCategoryStatistics statistics, String cweId) {