From: Matteo Mara Date: Wed, 27 Sep 2023 16:09:19 +0000 (+0200) Subject: SONAR-20333 Update security reports with CWE Top 25 2023 X-Git-Tag: 10.3.0.82913~314 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=562f94669463698cd913f2362d6580c0765a9b39;p=sonarqube.git SONAR-20333 Update security reports with CWE Top 25 2023 --- diff --git a/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java b/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java index 767c1ac314c..cd78ac5e6ca 100644 --- a/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java +++ b/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java @@ -88,10 +88,6 @@ public final class SecurityStandards { SANS_TOP_25_RISKY_RESOURCE, RISKY_CWE, SANS_TOP_25_POROUS_DEFENSES, POROUS_CWE); - // https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html - public static final List CWE_TOP25_2020 = List.of("79", "787", "20", "125", "119", "89", "200", "416", "352", "78", "190", "22", "476", "287", - "434", "732", "94", "522", "611", "798", "502", "269", "400", "306", "862"); - // https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html public static final List CWE_TOP25_2021 = List.of("787", "79", "125", "20", "78", "89", "416", "22", "352", "434", "306", "190", "502", "287", "476", "798", "119", "862", "276", "200", "522", "732", "611", "918", "77"); @@ -100,14 +96,18 @@ public final class SecurityStandards { public static final List CWE_TOP25_2022 = List.of("787", "79", "89", "20", "125", "78", "416", "22", "352", "434", "476", "502", "190", "287", "798", "862", "77", "306", "119", "276", "918", "362", "400", "611", "94"); - public static final String CWE_YEAR_2020 = "2020"; + // https://cwe.mitre.org/top25/archive/2023/2023_top25_list.html#tableView + public static final List CWE_TOP25_2023 = List.of("787", "79", "89", "416", "78", "20", "125", "22", "352", "434", "862", "476", "287", "190", "502", + "77", "119", "798", "918", "306", "362", "269", "94", "863", "276"); + public static final String CWE_YEAR_2021 = "2021"; public static final String CWE_YEAR_2022 = "2022"; + public static final String CWE_YEAR_2023 = "2023"; public static final Map> CWES_BY_CWE_TOP_25 = Map.of( - CWE_YEAR_2020, CWE_TOP25_2020, CWE_YEAR_2021, CWE_TOP25_2021, - CWE_YEAR_2022, CWE_TOP25_2022); + CWE_YEAR_2022, CWE_TOP25_2022, + CWE_YEAR_2023, CWE_TOP25_2023); private static final List OWASP_ASVS_40_LEVEL_1 = List.of("2.1.1", "2.1.10", "2.1.11", "2.1.12", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.1.6", "2.1.7", "2.1.8", "2.1.9", "2.10.1", "2.10.2", "2.10.3", "2.10.4", "2.2.1", "2.2.2", "2.2.3", "2.3.1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.5.6", "2.7.1", "2.7.2", "2.7.3", "2.7.4", "2.8.1", diff --git a/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java b/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java index 0ff92fd6965..535fae2a23b 100644 --- a/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java +++ b/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java @@ -40,9 +40,9 @@ import static java.util.stream.Collectors.toList; import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.tuple; import static org.sonar.api.server.rule.RulesDefinition.OwaspAsvsVersion; -import static org.sonar.api.server.rule.RulesDefinition.PciDssVersion; import static org.sonar.api.server.rule.RulesDefinition.OwaspTop10Version.Y2017; import static org.sonar.api.server.rule.RulesDefinition.OwaspTop10Version.Y2021; +import static org.sonar.api.server.rule.RulesDefinition.PciDssVersion; import static org.sonar.db.component.ComponentTesting.newPrivateProjectDto; import static org.sonar.server.issue.IssueDocTesting.newDocForProject; import static org.sonar.server.security.SecurityStandards.UNKNOWN_STANDARD; @@ -586,28 +586,7 @@ public class IssueIndexSecurityReportsTest extends IssueIndexTestCommon { .map(SecurityStandardCategoryStatistics::getCategory) .collect(toList()); - assertThat(listOfYears).contains("2020", "2021", "2022"); - - SecurityStandardCategoryStatistics cwe2020 = cweTop25Reports.stream() - .filter(s -> s.getCategory().equals("2020")) - .findAny().get(); - assertThat(cwe2020.getChildren()).hasSize(25); - assertThat(findRuleInCweByYear(cwe2020, "119")).isNotNull() - .extracting(SecurityStandardCategoryStatistics::getVulnerabilities, - SecurityStandardCategoryStatistics::getToReviewSecurityHotspots, - SecurityStandardCategoryStatistics::getReviewedSecurityHotspots) - .containsExactlyInAnyOrder(1L, 0L, 0L); - assertThat(findRuleInCweByYear(cwe2020, "89")).isNotNull() - .extracting(SecurityStandardCategoryStatistics::getVulnerabilities, - SecurityStandardCategoryStatistics::getToReviewSecurityHotspots, - SecurityStandardCategoryStatistics::getReviewedSecurityHotspots) - .containsExactlyInAnyOrder(0L, 1L, 0L); - assertThat(findRuleInCweByYear(cwe2020, "862")).isNotNull() - .extracting(SecurityStandardCategoryStatistics::getVulnerabilities, - SecurityStandardCategoryStatistics::getToReviewSecurityHotspots, - SecurityStandardCategoryStatistics::getReviewedSecurityHotspots) - .containsExactlyInAnyOrder(1L, 0L, 0L); - assertThat(findRuleInCweByYear(cwe2020, "999")).isNull(); + assertThat(listOfYears).contains("2021", "2022", "2023"); SecurityStandardCategoryStatistics cwe2021 = cweTop25Reports.stream() .filter(s -> s.getCategory().equals("2021")) @@ -642,6 +621,27 @@ public class IssueIndexSecurityReportsTest extends IssueIndexTestCommon { .containsExactlyInAnyOrder(0L, 1L, 0L); assertThat(findRuleInCweByYear(cwe2022, "950")).isNull(); assertThat(findRuleInCweByYear(cwe2022, "999")).isNull(); + + SecurityStandardCategoryStatistics cwe2023 = cweTop25Reports.stream() + .filter(s -> s.getCategory().equals("2023")) + .findAny().get(); + assertThat(cwe2023.getChildren()).hasSize(25); + assertThat(findRuleInCweByYear(cwe2023, "119")).isNotNull() + .extracting(SecurityStandardCategoryStatistics::getVulnerabilities, + SecurityStandardCategoryStatistics::getToReviewSecurityHotspots, + SecurityStandardCategoryStatistics::getReviewedSecurityHotspots) + .containsExactlyInAnyOrder(1L, 0L, 0L); + assertThat(findRuleInCweByYear(cwe2023, "89")).isNotNull() + .extracting(SecurityStandardCategoryStatistics::getVulnerabilities, + SecurityStandardCategoryStatistics::getToReviewSecurityHotspots, + SecurityStandardCategoryStatistics::getReviewedSecurityHotspots) + .containsExactlyInAnyOrder(0L, 1L, 0L); + assertThat(findRuleInCweByYear(cwe2023, "862")).isNotNull() + .extracting(SecurityStandardCategoryStatistics::getVulnerabilities, + SecurityStandardCategoryStatistics::getToReviewSecurityHotspots, + SecurityStandardCategoryStatistics::getReviewedSecurityHotspots) + .containsExactlyInAnyOrder(1L, 0L, 0L); + assertThat(findRuleInCweByYear(cwe2023, "999")).isNull(); } @Test @@ -670,28 +670,7 @@ public class IssueIndexSecurityReportsTest extends IssueIndexTestCommon { .map(SecurityStandardCategoryStatistics::getCategory) .collect(toList()); - assertThat(listOfYears).contains("2020", "2021", "2022"); - - SecurityStandardCategoryStatistics cwe2020 = cweTop25Reports.stream() - .filter(s -> s.getCategory().equals("2020")) - .findAny().get(); - assertThat(cwe2020.getChildren()).hasSize(25); - assertThat(findRuleInCweByYear(cwe2020, "119")).isNotNull() - .extracting(SecurityStandardCategoryStatistics::getVulnerabilities, - SecurityStandardCategoryStatistics::getToReviewSecurityHotspots, - SecurityStandardCategoryStatistics::getReviewedSecurityHotspots) - .containsExactlyInAnyOrder(2L, 0L, 0L); - assertThat(findRuleInCweByYear(cwe2020, "89")).isNotNull() - .extracting(SecurityStandardCategoryStatistics::getVulnerabilities, - SecurityStandardCategoryStatistics::getToReviewSecurityHotspots, - SecurityStandardCategoryStatistics::getReviewedSecurityHotspots) - .containsExactlyInAnyOrder(0L, 1L, 0L); - assertThat(findRuleInCweByYear(cwe2020, "862")).isNotNull() - .extracting(SecurityStandardCategoryStatistics::getVulnerabilities, - SecurityStandardCategoryStatistics::getToReviewSecurityHotspots, - SecurityStandardCategoryStatistics::getReviewedSecurityHotspots) - .containsExactlyInAnyOrder(1L, 0L, 0L); - assertThat(findRuleInCweByYear(cwe2020, "999")).isNull(); + assertThat(listOfYears).contains("2021", "2022", "2023"); SecurityStandardCategoryStatistics cwe2021 = cweTop25Reports.stream() .filter(s -> s.getCategory().equals("2021")) @@ -728,6 +707,26 @@ public class IssueIndexSecurityReportsTest extends IssueIndexTestCommon { assertThat(findRuleInCweByYear(cwe2022, "295")).isNull(); assertThat(findRuleInCweByYear(cwe2022, "999")).isNull(); + SecurityStandardCategoryStatistics cwe2023 = cweTop25Reports.stream() + .filter(s -> s.getCategory().equals("2023")) + .findAny().get(); + assertThat(cwe2023.getChildren()).hasSize(25); + assertThat(findRuleInCweByYear(cwe2023, "119")).isNotNull() + .extracting(SecurityStandardCategoryStatistics::getVulnerabilities, + SecurityStandardCategoryStatistics::getToReviewSecurityHotspots, + SecurityStandardCategoryStatistics::getReviewedSecurityHotspots) + .containsExactlyInAnyOrder(2L, 0L, 0L); + assertThat(findRuleInCweByYear(cwe2023, "89")).isNotNull() + .extracting(SecurityStandardCategoryStatistics::getVulnerabilities, + SecurityStandardCategoryStatistics::getToReviewSecurityHotspots, + SecurityStandardCategoryStatistics::getReviewedSecurityHotspots) + .containsExactlyInAnyOrder(0L, 1L, 0L); + assertThat(findRuleInCweByYear(cwe2023, "862")).isNotNull() + .extracting(SecurityStandardCategoryStatistics::getVulnerabilities, + SecurityStandardCategoryStatistics::getToReviewSecurityHotspots, + SecurityStandardCategoryStatistics::getReviewedSecurityHotspots) + .containsExactlyInAnyOrder(1L, 0L, 0L); + assertThat(findRuleInCweByYear(cwe2023, "999")).isNull(); } private SecurityStandardCategoryStatistics findRuleInCweByYear(SecurityStandardCategoryStatistics statistics, String cweId) {