@@ -62,6 +62,7 @@ public class SearchRequest { | |||
private List<String> tags; | |||
private Set<String> types; | |||
private List<String> owaspTop10; | |||
private List<String> owaspTop10For2021; | |||
private List<String> sansTop25; | |||
private List<String> sonarsourceSecurity; | |||
private List<String> cwe; | |||
@@ -377,6 +378,16 @@ public class SearchRequest { | |||
return this; | |||
} | |||
@CheckForNull | |||
public List<String> getOwaspTop10For2021() { | |||
return owaspTop10For2021; | |||
} | |||
public SearchRequest setOwaspTop10For2021(@Nullable List<String> owaspTop10For2021) { | |||
this.owaspTop10For2021 = owaspTop10For2021; | |||
return this; | |||
} | |||
@CheckForNull | |||
public List<String> getSansTop25() { | |||
return sansTop25; |
@@ -48,7 +48,8 @@ public class SearchRequestTest { | |||
.setRules(asList("key-a", "key-b")) | |||
.setSort("CREATION_DATE") | |||
.setAsc(true) | |||
.setInNewCodePeriod(true); | |||
.setInNewCodePeriod(true) | |||
.setOwaspTop10For2021(asList("a2", "a3")); | |||
assertThat(underTest.getIssues()).containsOnlyOnce("anIssueKey"); | |||
assertThat(underTest.getSeverities()).containsExactly("MAJOR", "MINOR"); | |||
@@ -69,6 +70,7 @@ public class SearchRequestTest { | |||
assertThat(underTest.getSort()).isEqualTo("CREATION_DATE"); | |||
assertThat(underTest.getAsc()).isTrue(); | |||
assertThat(underTest.getInNewCodePeriod()).isTrue(); | |||
assertThat(underTest.getOwaspTop10For2021()).containsExactly("a2", "a3"); | |||
} | |||
@Test |
@@ -709,6 +709,7 @@ public class IssueIndex { | |||
addFacetIfNeeded(options, aggregationHelper, esRequest, TYPES, query.types().toArray()); | |||
addSecurityCategoryFacetIfNeeded(PARAM_OWASP_TOP_10, OWASP_TOP_10, options, aggregationHelper, esRequest, query.owaspTop10().toArray()); | |||
addSecurityCategoryFacetIfNeeded(PARAM_OWASP_TOP_10_2021, OWASP_TOP_10_2021, options, aggregationHelper, esRequest, query.owaspTop10For2021().toArray()); | |||
addSecurityCategoryFacetIfNeeded(PARAM_SANS_TOP_25, SANS_TOP_25, options, aggregationHelper, esRequest, query.sansTop25().toArray()); | |||
addSecurityCategoryFacetIfNeeded(PARAM_CWE, CWE, options, aggregationHelper, esRequest, query.cwe().toArray()); | |||
addSecurityCategoryFacetIfNeeded(PARAM_SONARSOURCE_SECURITY, SONARSOURCE_SECURITY, options, aggregationHelper, esRequest, query.sonarsourceSecurity().toArray()); |
@@ -133,6 +133,7 @@ public class IssueQueryFactory { | |||
.tags(request.getTags()) | |||
.types(request.getTypes()) | |||
.owaspTop10(request.getOwaspTop10()) | |||
.owaspTop10For2021(request.getOwaspTop10For2021()) | |||
.sansTop25(request.getSansTop25()) | |||
.cwe(request.getCwe()) | |||
.sonarsourceSecurity(request.getSonarsourceSecurity()) |
@@ -112,6 +112,7 @@ import static org.sonarqube.ws.client.issue.IssuesWsParameters.PARAM_ISSUES; | |||
import static org.sonarqube.ws.client.issue.IssuesWsParameters.PARAM_LANGUAGES; | |||
import static org.sonarqube.ws.client.issue.IssuesWsParameters.PARAM_ON_COMPONENT_ONLY; | |||
import static org.sonarqube.ws.client.issue.IssuesWsParameters.PARAM_OWASP_TOP_10; | |||
import static org.sonarqube.ws.client.issue.IssuesWsParameters.PARAM_OWASP_TOP_10_2021; | |||
import static org.sonarqube.ws.client.issue.IssuesWsParameters.PARAM_PROJECTS; | |||
import static org.sonarqube.ws.client.issue.IssuesWsParameters.PARAM_PULL_REQUEST; | |||
import static org.sonarqube.ws.client.issue.IssuesWsParameters.PARAM_RESOLUTIONS; | |||
@@ -149,6 +150,7 @@ public class SearchAction implements IssuesWsAction { | |||
PARAM_TAGS, | |||
PARAM_TYPES, | |||
PARAM_OWASP_TOP_10, | |||
PARAM_OWASP_TOP_10_2021, | |||
PARAM_SANS_TOP_25, | |||
PARAM_CWE, | |||
PARAM_CREATED_AT, | |||
@@ -259,9 +261,13 @@ public class SearchAction implements IssuesWsAction { | |||
.setPossibleValues(ALL_RULE_TYPES_EXCEPT_SECURITY_HOTSPOTS) | |||
.setExampleValue(format("%s,%s", RuleType.CODE_SMELL, RuleType.BUG)); | |||
action.createParam(PARAM_OWASP_TOP_10) | |||
.setDescription("Comma-separated list of OWASP Top 10 lowercase categories.") | |||
.setDescription("Comma-separated list of OWASP Top 10 2017 lowercase categories.") | |||
.setSince("7.3") | |||
.setPossibleValues("a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9", "a10"); | |||
action.createParam(PARAM_OWASP_TOP_10_2021) | |||
.setDescription("Comma-separated list of OWASP Top 10 2021 lowercase categories.") | |||
.setSince("9.4") | |||
.setPossibleValues("a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9", "a10"); | |||
action.createParam(PARAM_SANS_TOP_25) | |||
.setDescription("Comma-separated list of SANS Top 25 categories.") | |||
.setSince("7.3") | |||
@@ -460,6 +466,7 @@ public class SearchAction implements IssuesWsAction { | |||
setTypesFacet(facets); | |||
addMandatoryValuesToFacet(facets, PARAM_OWASP_TOP_10, request.getOwaspTop10()); | |||
addMandatoryValuesToFacet(facets, PARAM_OWASP_TOP_10_2021, request.getOwaspTop10For2021()); | |||
addMandatoryValuesToFacet(facets, PARAM_SANS_TOP_25, request.getSansTop25()); | |||
addMandatoryValuesToFacet(facets, PARAM_CWE, request.getCwe()); | |||
addMandatoryValuesToFacet(facets, PARAM_SONARSOURCE_SECURITY, request.getSonarsourceSecurity()); | |||
@@ -535,6 +542,7 @@ public class SearchAction implements IssuesWsAction { | |||
.setTags(request.paramAsStrings(PARAM_TAGS)) | |||
.setTypes(allRuleTypesExceptHotspotsIfEmpty(request.paramAsStrings(PARAM_TYPES))) | |||
.setOwaspTop10(request.paramAsStrings(PARAM_OWASP_TOP_10)) | |||
.setOwaspTop10For2021(request.paramAsStrings(PARAM_OWASP_TOP_10_2021)) | |||
.setSansTop25(request.paramAsStrings(PARAM_SANS_TOP_25)) | |||
.setCwe(request.paramAsStrings(PARAM_CWE)) | |||
.setSonarsourceSecurity(request.paramAsStrings(PARAM_SONARSOURCE_SECURITY)) |
@@ -1026,7 +1026,7 @@ public class SearchActionTest { | |||
ComponentDto project = db.components().insertPublicProject(); | |||
ComponentDto file = db.components().insertComponent(newFileDto(project)); | |||
Consumer<RuleDefinitionDto> ruleConsumer = ruleDefinitionDto -> ruleDefinitionDto | |||
.setSecurityStandards(Sets.newHashSet("cwe:20", "cwe:564", "cwe:89", "cwe:943", "owaspTop10:a1")) | |||
.setSecurityStandards(Sets.newHashSet("cwe:20", "cwe:564", "cwe:89", "cwe:943", "owaspTop10:a1", "owaspTop10-2021:a2")) | |||
.setSystemTags(Sets.newHashSet("bad-practice", "cwe", "owasp-a1", "sans-top25-insecure", "sql")); | |||
Consumer<IssueDto> issueConsumer = issueDto -> issueDto.setTags(Sets.newHashSet("bad-practice", "cwe", "owasp-a1", "sans-top25-insecure", "sql")); | |||
RuleDefinitionDto hotspotRule = db.rules().insertHotspotRule(ruleConsumer); | |||
@@ -1046,6 +1046,31 @@ public class SearchActionTest { | |||
.containsExactlyInAnyOrder(issueDto1.getKey(), issueDto2.getKey()); | |||
} | |||
@Test | |||
public void only_vulnerabilities_are_returned_by_owasp_2021() { | |||
ComponentDto project = db.components().insertPublicProject(); | |||
ComponentDto file = db.components().insertComponent(newFileDto(project)); | |||
Consumer<RuleDefinitionDto> ruleConsumer = ruleDefinitionDto -> ruleDefinitionDto | |||
.setSecurityStandards(Sets.newHashSet("cwe:20", "cwe:564", "cwe:89", "cwe:943", "owaspTop10:a1", "owaspTop10-2021:a2")) | |||
.setSystemTags(Sets.newHashSet("bad-practice", "cwe", "owasp-a1", "sans-top25-insecure", "sql")); | |||
Consumer<IssueDto> issueConsumer = issueDto -> issueDto.setTags(Sets.newHashSet("bad-practice", "cwe", "owasp-a1", "sans-top25-insecure", "sql")); | |||
RuleDefinitionDto hotspotRule = db.rules().insertHotspotRule(ruleConsumer); | |||
db.issues().insertHotspot(hotspotRule, project, file, issueConsumer); | |||
RuleDefinitionDto issueRule = db.rules().insertIssueRule(ruleConsumer); | |||
IssueDto issueDto1 = db.issues().insertIssue(issueRule, project, file, issueConsumer, issueDto -> issueDto.setType(RuleType.VULNERABILITY)); | |||
IssueDto issueDto2 = db.issues().insertIssue(issueRule, project, file, issueConsumer, issueDto -> issueDto.setType(RuleType.VULNERABILITY)); | |||
IssueDto issueDto3 = db.issues().insertIssue(issueRule, project, file, issueConsumer, issueDto -> issueDto.setType(CODE_SMELL)); | |||
indexPermissionsAndIssues(); | |||
SearchWsResponse result = ws.newRequest() | |||
.setParam("owaspTop10-2021", "a2") | |||
.executeProtobuf(SearchWsResponse.class); | |||
assertThat(result.getIssuesList()) | |||
.extracting(Issue::getKey) | |||
.containsExactlyInAnyOrder(issueDto1.getKey(), issueDto2.getKey()); | |||
} | |||
@Test | |||
public void only_vulnerabilities_are_returned_by_sansTop25() { | |||
ComponentDto project = db.components().insertPublicProject(); | |||
@@ -1380,7 +1405,7 @@ public class SearchActionTest { | |||
assertThat(def.params()).extracting("key").containsExactlyInAnyOrder( | |||
"additionalFields", "asc", "assigned", "assignees", "author", "componentKeys", "branch", "pullRequest", "createdAfter", "createdAt", | |||
"createdBefore", "createdInLast", "directories", "facets", "files", "issues", "scopes", "languages", "onComponentOnly", | |||
"p", "projects", "ps", "resolutions", "resolved", "rules", "s", "severities", "sinceLeakPeriod", "statuses", "tags", "types", "owaspTop10", "sansTop25", | |||
"p", "projects", "ps", "resolutions", "resolved", "rules", "s", "severities", "sinceLeakPeriod", "statuses", "tags", "types", "owaspTop10", "owaspTop10-2021", "sansTop25", | |||
"cwe", "sonarsourceSecurity", "timeZone", "inNewCodePeriod"); | |||
WebService.Param branch = def.param(PARAM_BRANCH); |
@@ -78,7 +78,7 @@ public class IssuesWsParameters { | |||
public static final String PARAM_TAGS = "tags"; | |||
public static final String PARAM_TYPES = "types"; | |||
public static final String PARAM_OWASP_TOP_10 = "owaspTop10"; | |||
public static final String PARAM_OWASP_TOP_10_2021 = "owaspTop10_2021"; | |||
public static final String PARAM_OWASP_TOP_10_2021 = "owaspTop10-2021"; | |||
@Deprecated | |||
public static final String PARAM_SANS_TOP_25 = "sansTop25"; | |||
public static final String PARAM_CWE_TOP_25 = "cweTop25"; |