From e44a7826206596b4c3f07a1139ab577656805b5a Mon Sep 17 00:00:00 2001 From: Lukasz Jarocki Date: Thu, 16 Sep 2021 13:48:36 +0200 Subject: [PATCH] SONAR-15212 adjustments in CWEs assignements to categories. Support for new CWEs --- .../server/security/SecurityStandards.java | 46 ++++++++++--------- .../src/main/js/helpers/standards.json | 6 +++ 2 files changed, 30 insertions(+), 22 deletions(-) diff --git a/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java b/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java index 137aea7497a..124eaf0853f 100644 --- a/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java +++ b/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java @@ -20,9 +20,7 @@ package org.sonar.server.security; import com.google.common.collect.ImmutableMap; -import com.google.common.collect.ImmutableSet; import com.google.common.collect.Ordering; - import java.util.Arrays; import java.util.Collection; import java.util.Collections; @@ -140,6 +138,8 @@ public final class SecurityStandards { AUTH("auth", HIGH), INSECURE_CONF("insecure-conf", LOW), FILE_MANIPULATION("file-manipulation", LOW), + ENCRYPTION_OF_SENSITIVE_DATA("encrypt-data", LOW), + TRACEABILITY("traceability", LOW), OTHERS("others", LOW); private static final Map SQ_CATEGORY_BY_KEY = stream(values()).collect(uniqueIndex(SQCategory::getKey)); @@ -165,26 +165,28 @@ public final class SecurityStandards { } public static final Map> CWES_BY_SQ_CATEGORY = ImmutableMap.>builder() - .put(SQCategory.BUFFER_OVERFLOW, ImmutableSet.of("119", "120", "131", "676", "788")) - .put(SQCategory.SQL_INJECTION, ImmutableSet.of("89", "564")) - .put(SQCategory.COMMAND_INJECTION, ImmutableSet.of("77", "78", "88", "214")) - .put(SQCategory.PATH_TRAVERSAL_INJECTION, ImmutableSet.of("22")) - .put(SQCategory.LDAP_INJECTION, ImmutableSet.of("90")) - .put(SQCategory.XPATH_INJECTION, ImmutableSet.of("643")) - .put(SQCategory.RCE, ImmutableSet.of("94", "95")) - .put(SQCategory.DOS, ImmutableSet.of("400", "624")) - .put(SQCategory.SSRF, ImmutableSet.of("918")) - .put(SQCategory.CSRF, ImmutableSet.of("352")) - .put(SQCategory.XSS, ImmutableSet.of("79", "80", "81", "82", "83", "84", "85", "86", "87")) - .put(SQCategory.LOG_INJECTION, ImmutableSet.of("117")) - .put(SQCategory.HTTP_RESPONSE_SPLITTING, ImmutableSet.of("113")) - .put(SQCategory.OPEN_REDIRECT, ImmutableSet.of("601")) - .put(SQCategory.XXE, ImmutableSet.of("611", "827")) - .put(SQCategory.OBJECT_INJECTION, ImmutableSet.of("134", "470", "502")) - .put(SQCategory.WEAK_CRYPTOGRAPHY, ImmutableSet.of("295", "297", "321", "322", "323", "324", "325", "326", "327", "328", "330", "780")) - .put(SQCategory.AUTH, ImmutableSet.of("798", "640", "620", "549", "522", "521", "263", "262", "261", "259", "284")) - .put(SQCategory.INSECURE_CONF, ImmutableSet.of("102", "215", "311", "315", "346", "614", "489", "942")) - .put(SQCategory.FILE_MANIPULATION, ImmutableSet.of("97", "73")) + .put(SQCategory.BUFFER_OVERFLOW, Set.of("119", "120", "131", "676", "788")) + .put(SQCategory.SQL_INJECTION, Set.of("89", "564", "943")) + .put(SQCategory.COMMAND_INJECTION, Set.of("77", "78", "88", "214")) + .put(SQCategory.PATH_TRAVERSAL_INJECTION, Set.of("22")) + .put(SQCategory.LDAP_INJECTION, Set.of("90")) + .put(SQCategory.XPATH_INJECTION, Set.of("643")) + .put(SQCategory.RCE, Set.of("94", "95")) + .put(SQCategory.DOS, Set.of("400", "624")) + .put(SQCategory.SSRF, Set.of("918")) + .put(SQCategory.CSRF, Set.of("352")) + .put(SQCategory.XSS, Set.of("79", "80", "81", "82", "83", "84", "85", "86", "87")) + .put(SQCategory.LOG_INJECTION, Set.of("117")) + .put(SQCategory.HTTP_RESPONSE_SPLITTING, Set.of("113")) + .put(SQCategory.OPEN_REDIRECT, Set.of("601")) + .put(SQCategory.XXE, Set.of("611", "827")) + .put(SQCategory.OBJECT_INJECTION, Set.of("134", "470", "502")) + .put(SQCategory.WEAK_CRYPTOGRAPHY, Set.of("295", "297", "321", "322", "323", "324", "325", "326", "327", "328", "330", "780")) + .put(SQCategory.AUTH, Set.of("798", "640", "620", "549", "522", "521", "263", "262", "261", "259", "284", "308", "732")) + .put(SQCategory.INSECURE_CONF, Set.of("102", "215", "346", "614", "489", "942")) + .put(SQCategory.FILE_MANIPULATION, Set.of("97", "73")) + .put(SQCategory.ENCRYPTION_OF_SENSITIVE_DATA, Set.of("311", "315", "319")) + .put(SQCategory.TRACEABILITY, Set.of("778")) .build(); private static final Ordering SQ_CATEGORY_ORDERING = Ordering.explicit(stream(SQCategory.values()).collect(Collectors.toList())); public static final Ordering SQ_CATEGORY_KEYS_ORDERING = Ordering.explicit(stream(SQCategory.values()).map(SQCategory::getKey).collect(Collectors.toList())); diff --git a/server/sonar-web/src/main/js/helpers/standards.json b/server/sonar-web/src/main/js/helpers/standards.json index e6ffadaa701..42b38d8d445 100644 --- a/server/sonar-web/src/main/js/helpers/standards.json +++ b/server/sonar-web/src/main/js/helpers/standards.json @@ -3683,6 +3683,12 @@ "file-manipulation": { "title": "File Manipulation" }, + "encrypt-data": { + "title": "Encryption of Sensitive Data" + }, + "traceability": { + "title": "Traceability" + }, "others": { "title": "Others" } -- 2.39.5