From ecf58b951dba30f565e714ca66fd48bfc74986ed Mon Sep 17 00:00:00 2001 From: Lukasz Jarocki Date: Mon, 30 Aug 2021 13:55:38 +0200 Subject: [PATCH] SONAR-15345 add CWE top 25 for year 2021 --- .../server/security/SecurityStandards.java | 11 +++- .../index/IssueIndexSecurityReportsTest.java | 62 +++++++++++++++++-- 2 files changed, 67 insertions(+), 6 deletions(-) diff --git a/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java b/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java index a6473f10db6..d895b0bc221 100644 --- a/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java +++ b/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java @@ -83,9 +83,16 @@ public final class SecurityStandards { "78", "190", "22", "476", "287", "434", "732", "94", "522", "611", "798", "502", "269", "400", "306", "862")); - public static final Map> CWES_BY_CWE_TOP_25 = ImmutableMap.of( + // https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html + public static final List CWE_TOP25_2021 = + Collections.unmodifiableList(asList("119", "79", "20", "200", "125", "89", "416", "190", "352", + "22", "78", "787", "287", "476", "732", "434", "611", "94", + "798", "400", "772", "426", "502", "269", "295")); + + public static final Map> CWES_BY_CWE_TOP_25 = Map.of( "2019", CWE_TOP25_2019, - "2020", CWE_TOP25_2020); + "2020", CWE_TOP25_2020, + "2021", CWE_TOP25_2021); public enum VulnerabilityProbability { HIGH(3), diff --git a/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java b/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java index 58b4448e9a7..e7c6c8dab86 100644 --- a/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java +++ b/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java @@ -313,7 +313,15 @@ public class IssueIndexSecurityReportsTest { List cweTop25Reports = underTest.getCweTop25Reports(project.uuid(), false); - SecurityStandardCategoryStatistics cwe2019 = cweTop25Reports.get(0); + List listOfYears = cweTop25Reports.stream() + .map(SecurityStandardCategoryStatistics::getCategory) + .collect(toList()); + + assertThat(listOfYears).contains("2019", "2020", "2021"); + + SecurityStandardCategoryStatistics cwe2019 = cweTop25Reports.stream() + .filter(s -> s.getCategory().equals("2019")) + .findAny().get(); assertThat(cwe2019.getChildren()).hasSize(25); assertThat(findRuleInCweByYear(cwe2019, "119")).isNotNull() .extracting(SecurityStandardCategoryStatistics::getVulnerabilities, @@ -328,7 +336,9 @@ public class IssueIndexSecurityReportsTest { assertThat(findRuleInCweByYear(cwe2019, "862")).isNull(); assertThat(findRuleInCweByYear(cwe2019, "999")).isNull(); - SecurityStandardCategoryStatistics cwe2020 = cweTop25Reports.get(1); + SecurityStandardCategoryStatistics cwe2020 = cweTop25Reports.stream() + .filter(s -> s.getCategory().equals("2020")) + .findAny().get(); assertThat(cwe2020.getChildren()).hasSize(25); assertThat(findRuleInCweByYear(cwe2020, "119")).isNotNull() .extracting(SecurityStandardCategoryStatistics::getVulnerabilities, @@ -346,6 +356,23 @@ public class IssueIndexSecurityReportsTest { SecurityStandardCategoryStatistics::getReviewedSecurityHotspots) .containsExactlyInAnyOrder(1L, 0L, 0L); assertThat(findRuleInCweByYear(cwe2020, "999")).isNull(); + + SecurityStandardCategoryStatistics cwe2021 = cweTop25Reports.stream() + .filter(s -> s.getCategory().equals("2021")) + .findAny().get(); + assertThat(cwe2021.getChildren()).hasSize(25); + assertThat(findRuleInCweByYear(cwe2021, "119")).isNotNull() + .extracting(SecurityStandardCategoryStatistics::getVulnerabilities, + SecurityStandardCategoryStatistics::getToReviewSecurityHotspots, + SecurityStandardCategoryStatistics::getReviewedSecurityHotspots) + .containsExactlyInAnyOrder(1L, 0L, 0L); + assertThat(findRuleInCweByYear(cwe2021, "89")).isNotNull() + .extracting(SecurityStandardCategoryStatistics::getVulnerabilities, + SecurityStandardCategoryStatistics::getToReviewSecurityHotspots, + SecurityStandardCategoryStatistics::getReviewedSecurityHotspots) + .containsExactlyInAnyOrder(0L, 1L, 0L); + assertThat(findRuleInCweByYear(cwe2021, "862")).isNull(); + assertThat(findRuleInCweByYear(cwe2021, "999")).isNull(); } @Test @@ -370,7 +397,15 @@ public class IssueIndexSecurityReportsTest { List cweTop25Reports = underTest.getCweTop25Reports(application.uuid(), true); - SecurityStandardCategoryStatistics cwe2019 = cweTop25Reports.get(0); + List listOfYears = cweTop25Reports.stream() + .map(SecurityStandardCategoryStatistics::getCategory) + .collect(toList()); + + assertThat(listOfYears).contains("2019", "2020", "2021"); + + SecurityStandardCategoryStatistics cwe2019 = cweTop25Reports.stream() + .filter(s -> s.getCategory().equals("2019")) + .findAny().get(); assertThat(cwe2019.getChildren()).hasSize(25); assertThat(findRuleInCweByYear(cwe2019, "119")).isNotNull() .extracting(SecurityStandardCategoryStatistics::getVulnerabilities, @@ -385,7 +420,9 @@ public class IssueIndexSecurityReportsTest { assertThat(findRuleInCweByYear(cwe2019, "862")).isNull(); assertThat(findRuleInCweByYear(cwe2019, "999")).isNull(); - SecurityStandardCategoryStatistics cwe2020 = cweTop25Reports.get(1); + SecurityStandardCategoryStatistics cwe2020 = cweTop25Reports.stream() + .filter(s -> s.getCategory().equals("2020")) + .findAny().get(); assertThat(cwe2020.getChildren()).hasSize(25); assertThat(findRuleInCweByYear(cwe2020, "119")).isNotNull() .extracting(SecurityStandardCategoryStatistics::getVulnerabilities, @@ -403,6 +440,23 @@ public class IssueIndexSecurityReportsTest { SecurityStandardCategoryStatistics::getReviewedSecurityHotspots) .containsExactlyInAnyOrder(1L, 0L, 0L); assertThat(findRuleInCweByYear(cwe2020, "999")).isNull(); + + SecurityStandardCategoryStatistics cwe2021 = cweTop25Reports.stream() + .filter(s -> s.getCategory().equals("2021")) + .findAny().get(); + assertThat(cwe2021.getChildren()).hasSize(25); + assertThat(findRuleInCweByYear(cwe2021, "119")).isNotNull() + .extracting(SecurityStandardCategoryStatistics::getVulnerabilities, + SecurityStandardCategoryStatistics::getToReviewSecurityHotspots, + SecurityStandardCategoryStatistics::getReviewedSecurityHotspots) + .containsExactlyInAnyOrder(2L, 0L, 0L); + assertThat(findRuleInCweByYear(cwe2021, "89")).isNotNull() + .extracting(SecurityStandardCategoryStatistics::getVulnerabilities, + SecurityStandardCategoryStatistics::getToReviewSecurityHotspots, + SecurityStandardCategoryStatistics::getReviewedSecurityHotspots) + .containsExactlyInAnyOrder(0L, 1L, 0L); + assertThat(findRuleInCweByYear(cwe2021, "862")).isNull(); + assertThat(findRuleInCweByYear(cwe2021, "999")).isNull(); } private SecurityStandardCategoryStatistics findRuleInCweByYear(SecurityStandardCategoryStatistics statistics, String cweId) { -- 2.39.5