mirrors
/
sonarqube
mirror of https://github.com/SonarSource/sonarqube.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 237 Wiki Activity
Browse Source

SONAR-16129 Handle Owasp Top 10 2021 facet in issue search

tags/9.4.0.54424
Matteo Mara 2 years ago
parent
a570342082
commit
34fe977c3f
7 changed files with 53 additions and 5 deletions
Split View Show Diff Stats
  1. 11
    0
      server/sonar-server-common/src/main/java/org/sonar/server/issue/SearchRequest.java
  2. 3
    1
      server/sonar-server-common/src/test/java/org/sonar/server/issue/SearchRequestTest.java
  3. 1
    0
      server/sonar-webserver-es/src/main/java/org/sonar/server/issue/index/IssueIndex.java
  4. 1
    0
      server/sonar-webserver-es/src/main/java/org/sonar/server/issue/index/IssueQueryFactory.java
  5. 9
    1
      server/sonar-webserver-webapi/src/main/java/org/sonar/server/issue/ws/SearchAction.java
  6. 27
    2
      server/sonar-webserver-webapi/src/test/java/org/sonar/server/issue/ws/SearchActionTest.java
  7. 1
    1
      sonar-ws/src/main/java/org/sonarqube/ws/client/issue/IssuesWsParameters.java

+ 11
- 0
server/sonar-server-common/src/main/java/org/sonar/server/issue/SearchRequest.java View File

@@ -62,6 +62,7 @@ public class SearchRequest {
private List<String> tags;
private Set<String> types;
private List<String> owaspTop10;
private List<String> owaspTop10For2021;
private List<String> sansTop25;
private List<String> sonarsourceSecurity;
private List<String> cwe;
@@ -377,6 +378,16 @@ public class SearchRequest {
return this;
}

@CheckForNull
public List<String> getOwaspTop10For2021() {
return owaspTop10For2021;
}

public SearchRequest setOwaspTop10For2021(@Nullable List<String> owaspTop10For2021) {
this.owaspTop10For2021 = owaspTop10For2021;
return this;
}

@CheckForNull
public List<String> getSansTop25() {
return sansTop25;

+ 3
- 1
server/sonar-server-common/src/test/java/org/sonar/server/issue/SearchRequestTest.java View File

@@ -48,7 +48,8 @@ public class SearchRequestTest {
.setRules(asList("key-a", "key-b"))
.setSort("CREATION_DATE")
.setAsc(true)
.setInNewCodePeriod(true);
.setInNewCodePeriod(true)
.setOwaspTop10For2021(asList("a2", "a3"));

assertThat(underTest.getIssues()).containsOnlyOnce("anIssueKey");
assertThat(underTest.getSeverities()).containsExactly("MAJOR", "MINOR");
@@ -69,6 +70,7 @@ public class SearchRequestTest {
assertThat(underTest.getSort()).isEqualTo("CREATION_DATE");
assertThat(underTest.getAsc()).isTrue();
assertThat(underTest.getInNewCodePeriod()).isTrue();
assertThat(underTest.getOwaspTop10For2021()).containsExactly("a2", "a3");
}

@Test

+ 1
- 0
server/sonar-webserver-es/src/main/java/org/sonar/server/issue/index/IssueIndex.java View File

@@ -709,6 +709,7 @@ public class IssueIndex {
addFacetIfNeeded(options, aggregationHelper, esRequest, TYPES, query.types().toArray());

addSecurityCategoryFacetIfNeeded(PARAM_OWASP_TOP_10, OWASP_TOP_10, options, aggregationHelper, esRequest, query.owaspTop10().toArray());
addSecurityCategoryFacetIfNeeded(PARAM_OWASP_TOP_10_2021, OWASP_TOP_10_2021, options, aggregationHelper, esRequest, query.owaspTop10For2021().toArray());
addSecurityCategoryFacetIfNeeded(PARAM_SANS_TOP_25, SANS_TOP_25, options, aggregationHelper, esRequest, query.sansTop25().toArray());
addSecurityCategoryFacetIfNeeded(PARAM_CWE, CWE, options, aggregationHelper, esRequest, query.cwe().toArray());
addSecurityCategoryFacetIfNeeded(PARAM_SONARSOURCE_SECURITY, SONARSOURCE_SECURITY, options, aggregationHelper, esRequest, query.sonarsourceSecurity().toArray());

+ 1
- 0
server/sonar-webserver-es/src/main/java/org/sonar/server/issue/index/IssueQueryFactory.java View File

@@ -133,6 +133,7 @@ public class IssueQueryFactory {
.tags(request.getTags())
.types(request.getTypes())
.owaspTop10(request.getOwaspTop10())
.owaspTop10For2021(request.getOwaspTop10For2021())
.sansTop25(request.getSansTop25())
.cwe(request.getCwe())
.sonarsourceSecurity(request.getSonarsourceSecurity())

+ 9
- 1
server/sonar-webserver-webapi/src/main/java/org/sonar/server/issue/ws/SearchAction.java View File

@@ -112,6 +112,7 @@ import static org.sonarqube.ws.client.issue.IssuesWsParameters.PARAM_ISSUES;
import static org.sonarqube.ws.client.issue.IssuesWsParameters.PARAM_LANGUAGES;
import static org.sonarqube.ws.client.issue.IssuesWsParameters.PARAM_ON_COMPONENT_ONLY;
import static org.sonarqube.ws.client.issue.IssuesWsParameters.PARAM_OWASP_TOP_10;
import static org.sonarqube.ws.client.issue.IssuesWsParameters.PARAM_OWASP_TOP_10_2021;
import static org.sonarqube.ws.client.issue.IssuesWsParameters.PARAM_PROJECTS;
import static org.sonarqube.ws.client.issue.IssuesWsParameters.PARAM_PULL_REQUEST;
import static org.sonarqube.ws.client.issue.IssuesWsParameters.PARAM_RESOLUTIONS;
@@ -149,6 +150,7 @@ public class SearchAction implements IssuesWsAction {
PARAM_TAGS,
PARAM_TYPES,
PARAM_OWASP_TOP_10,
PARAM_OWASP_TOP_10_2021,
PARAM_SANS_TOP_25,
PARAM_CWE,
PARAM_CREATED_AT,
@@ -259,9 +261,13 @@ public class SearchAction implements IssuesWsAction {
.setPossibleValues(ALL_RULE_TYPES_EXCEPT_SECURITY_HOTSPOTS)
.setExampleValue(format("%s,%s", RuleType.CODE_SMELL, RuleType.BUG));
action.createParam(PARAM_OWASP_TOP_10)
.setDescription("Comma-separated list of OWASP Top 10 lowercase categories.")
.setDescription("Comma-separated list of OWASP Top 10 2017 lowercase categories.")
.setSince("7.3")
.setPossibleValues("a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9", "a10");
action.createParam(PARAM_OWASP_TOP_10_2021)
.setDescription("Comma-separated list of OWASP Top 10 2021 lowercase categories.")
.setSince("9.4")
.setPossibleValues("a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9", "a10");
action.createParam(PARAM_SANS_TOP_25)
.setDescription("Comma-separated list of SANS Top 25 categories.")
.setSince("7.3")
@@ -460,6 +466,7 @@ public class SearchAction implements IssuesWsAction {
setTypesFacet(facets);

addMandatoryValuesToFacet(facets, PARAM_OWASP_TOP_10, request.getOwaspTop10());
addMandatoryValuesToFacet(facets, PARAM_OWASP_TOP_10_2021, request.getOwaspTop10For2021());
addMandatoryValuesToFacet(facets, PARAM_SANS_TOP_25, request.getSansTop25());
addMandatoryValuesToFacet(facets, PARAM_CWE, request.getCwe());
addMandatoryValuesToFacet(facets, PARAM_SONARSOURCE_SECURITY, request.getSonarsourceSecurity());
@@ -535,6 +542,7 @@ public class SearchAction implements IssuesWsAction {
.setTags(request.paramAsStrings(PARAM_TAGS))
.setTypes(allRuleTypesExceptHotspotsIfEmpty(request.paramAsStrings(PARAM_TYPES)))
.setOwaspTop10(request.paramAsStrings(PARAM_OWASP_TOP_10))
.setOwaspTop10For2021(request.paramAsStrings(PARAM_OWASP_TOP_10_2021))
.setSansTop25(request.paramAsStrings(PARAM_SANS_TOP_25))
.setCwe(request.paramAsStrings(PARAM_CWE))
.setSonarsourceSecurity(request.paramAsStrings(PARAM_SONARSOURCE_SECURITY))

+ 27
- 2
server/sonar-webserver-webapi/src/test/java/org/sonar/server/issue/ws/SearchActionTest.java View File

@@ -1026,7 +1026,7 @@ public class SearchActionTest {
ComponentDto project = db.components().insertPublicProject();
ComponentDto file = db.components().insertComponent(newFileDto(project));
Consumer<RuleDefinitionDto> ruleConsumer = ruleDefinitionDto -> ruleDefinitionDto
.setSecurityStandards(Sets.newHashSet("cwe:20", "cwe:564", "cwe:89", "cwe:943", "owaspTop10:a1"))
.setSecurityStandards(Sets.newHashSet("cwe:20", "cwe:564", "cwe:89", "cwe:943", "owaspTop10:a1", "owaspTop10-2021:a2"))
.setSystemTags(Sets.newHashSet("bad-practice", "cwe", "owasp-a1", "sans-top25-insecure", "sql"));
Consumer<IssueDto> issueConsumer = issueDto -> issueDto.setTags(Sets.newHashSet("bad-practice", "cwe", "owasp-a1", "sans-top25-insecure", "sql"));
RuleDefinitionDto hotspotRule = db.rules().insertHotspotRule(ruleConsumer);
@@ -1046,6 +1046,31 @@ public class SearchActionTest {
.containsExactlyInAnyOrder(issueDto1.getKey(), issueDto2.getKey());
}

@Test
public void only_vulnerabilities_are_returned_by_owasp_2021() {
ComponentDto project = db.components().insertPublicProject();
ComponentDto file = db.components().insertComponent(newFileDto(project));
Consumer<RuleDefinitionDto> ruleConsumer = ruleDefinitionDto -> ruleDefinitionDto
.setSecurityStandards(Sets.newHashSet("cwe:20", "cwe:564", "cwe:89", "cwe:943", "owaspTop10:a1", "owaspTop10-2021:a2"))
.setSystemTags(Sets.newHashSet("bad-practice", "cwe", "owasp-a1", "sans-top25-insecure", "sql"));
Consumer<IssueDto> issueConsumer = issueDto -> issueDto.setTags(Sets.newHashSet("bad-practice", "cwe", "owasp-a1", "sans-top25-insecure", "sql"));
RuleDefinitionDto hotspotRule = db.rules().insertHotspotRule(ruleConsumer);
db.issues().insertHotspot(hotspotRule, project, file, issueConsumer);
RuleDefinitionDto issueRule = db.rules().insertIssueRule(ruleConsumer);
IssueDto issueDto1 = db.issues().insertIssue(issueRule, project, file, issueConsumer, issueDto -> issueDto.setType(RuleType.VULNERABILITY));
IssueDto issueDto2 = db.issues().insertIssue(issueRule, project, file, issueConsumer, issueDto -> issueDto.setType(RuleType.VULNERABILITY));
IssueDto issueDto3 = db.issues().insertIssue(issueRule, project, file, issueConsumer, issueDto -> issueDto.setType(CODE_SMELL));
indexPermissionsAndIssues();

SearchWsResponse result = ws.newRequest()
.setParam("owaspTop10-2021", "a2")
.executeProtobuf(SearchWsResponse.class);

assertThat(result.getIssuesList())
.extracting(Issue::getKey)
.containsExactlyInAnyOrder(issueDto1.getKey(), issueDto2.getKey());
}

@Test
public void only_vulnerabilities_are_returned_by_sansTop25() {
ComponentDto project = db.components().insertPublicProject();
@@ -1380,7 +1405,7 @@ public class SearchActionTest {
assertThat(def.params()).extracting("key").containsExactlyInAnyOrder(
"additionalFields", "asc", "assigned", "assignees", "author", "componentKeys", "branch", "pullRequest", "createdAfter", "createdAt",
"createdBefore", "createdInLast", "directories", "facets", "files", "issues", "scopes", "languages", "onComponentOnly",
"p", "projects", "ps", "resolutions", "resolved", "rules", "s", "severities", "sinceLeakPeriod", "statuses", "tags", "types", "owaspTop10", "sansTop25",
"p", "projects", "ps", "resolutions", "resolved", "rules", "s", "severities", "sinceLeakPeriod", "statuses", "tags", "types", "owaspTop10", "owaspTop10-2021", "sansTop25",
"cwe", "sonarsourceSecurity", "timeZone", "inNewCodePeriod");

WebService.Param branch = def.param(PARAM_BRANCH);

+ 1
- 1
sonar-ws/src/main/java/org/sonarqube/ws/client/issue/IssuesWsParameters.java View File

@@ -78,7 +78,7 @@ public class IssuesWsParameters {
public static final String PARAM_TAGS = "tags";
public static final String PARAM_TYPES = "types";
public static final String PARAM_OWASP_TOP_10 = "owaspTop10";
public static final String PARAM_OWASP_TOP_10_2021 = "owaspTop10_2021";
public static final String PARAM_OWASP_TOP_10_2021 = "owaspTop10-2021";
@Deprecated
public static final String PARAM_SANS_TOP_25 = "sansTop25";
public static final String PARAM_CWE_TOP_25 = "cweTop25";

Write Preview
Loading…
Cancel
Save